Analysis
-
max time kernel
135s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/03/2024, 04:13
Static task
static1
Behavioral task
behavioral1
Sample
6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe
Resource
win10v2004-20240226-en
General
-
Target
6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe
-
Size
440KB
-
MD5
1fd22d479393ef533918ecebb145d1e0
-
SHA1
6ebd97682c08a6e8d25e489762c956e2374b6663
-
SHA256
6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c
-
SHA512
715c69dccb6ed42278284bfc53dd8f7d07caca1b09e68eb4e59319afc0a5ac6c536bdeb95c2a03a3cab3ef6ee28eb309a7b9822e22760bb12c096d3c1ee74cfa
-
SSDEEP
12288:GElIOIAeHc4MrTfLES5q8oX0Y4MjD6Opp:GE33e6DEkq8oEdMjD6O
Malware Config
Extracted
C:\Users\Admin\Contacts\HOW TO BACK FILES.txt
targetcompany
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion
Signatures
-
TargetCompany,Mallox
TargetCompany (aka Mallox) is a ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1504 bcdedit.exe 5088 bcdedit.exe -
Renames multiple (6492) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request 5 IoCs
flow pid Process 40 5876 Process not Found 45 5876 Process not Found 50 5876 Process not Found 53 5876 Process not Found 55 5876 Process not Found -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe -
Modifies file permissions 1 TTPs 18 IoCs
pid Process 1636 takeown.exe 4984 takeown.exe 412 takeown.exe 5708 takeown.exe 6264 takeown.exe 2144 takeown.exe 3092 takeown.exe 2688 takeown.exe 3464 takeown.exe 6972 takeown.exe 6292 takeown.exe 3920 takeown.exe 4648 takeown.exe 2796 takeown.exe 3496 takeown.exe 3216 takeown.exe 2376 takeown.exe 5032 takeown.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ynprinm = "C:\\Users\\Admin\\AppData\\Roaming\\Ynprinm.exe" 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened (read-only) \??\H: 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened (read-only) \??\N: 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened (read-only) \??\Q: 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened (read-only) \??\S: 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened (read-only) \??\W: 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened (read-only) \??\D: 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened (read-only) \??\P: 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened (read-only) \??\X: 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened (read-only) \??\E: 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened (read-only) \??\A: 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened (read-only) \??\J: 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened (read-only) \??\K: 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened (read-only) \??\R: 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened (read-only) \??\T: 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened (read-only) \??\V: 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened (read-only) \??\G: 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened (read-only) \??\I: 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened (read-only) \??\L: 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened (read-only) \??\M: 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened (read-only) \??\O: 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened (read-only) \??\U: 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened (read-only) \??\Y: 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened (read-only) \??\Z: 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 23 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3952 set thread context of 824 3952 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe 92 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageSmallTile.scale-200.png 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageWideTile.scale-100.png 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Sunglasses.png 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\HOW TO BACK FILES.txt 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\smsconnect\HOW TO BACK FILES.txt 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\HOW TO BACK FILES.txt 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-oob.xrm-ms 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusDemoR_BypassTrial180-ppd.xrm-ms 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_altform-unplated_contrast-black.png 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ru-ru\PlayStore_icon.svg 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Dark.scale-150.png 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-256.png 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-256_altform-lightunplated.png 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\HOW TO BACK FILES.txt 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\HOW TO BACK FILES.txt 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\MSB1FREN.ITS 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\39.jpg 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-72_altform-unplated.png 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideLogo.scale-200_contrast-black.png 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\HOW TO BACK FILES.txt 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File created C:\Program Files\Mozilla Firefox\browser\features\HOW TO BACK FILES.txt 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ul.xrm-ms 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\32.jpg 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-48_altform-lightunplated.png 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SAMPLES\HOW TO BACK FILES.txt 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-36.png 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\avatar.jpg 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\HOW TO BACK FILES.txt 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\HOW TO BACK FILES.txt 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\HOW TO BACK FILES.txt 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\VBAOWS10.CHM 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_contrast-white.png 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-64_contrast-black.png 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\ui-strings.js 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File created C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\HOW TO BACK FILES.txt 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENFR\HOW TO BACK FILES.txt 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fi\HOW TO BACK FILES.txt 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-tw\HOW TO BACK FILES.txt 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-200_contrast-black.png 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64_altform-lightunplated.png 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\eu-es\ui-strings.js 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\HOW TO BACK FILES.txt 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\cs-cz\HOW TO BACK FILES.txt 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\zlib.md 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\index.win32.bundle 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Spiral.png 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annots.api 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\WinMetadata\HOW TO BACK FILES.txt 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\index.win32.bundle.map 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-20_altform-unplated.png 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-96.png 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_2x.gif 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sv-se\HOW TO BACK FILES.txt 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\directshow.md 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\dom.md 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as90.xsl 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Programmer.targetsize-24_contrast-black.png 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.targetsize-256.png 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fi-fi\ui-strings.js 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\he-IL\View3d\HOW TO BACK FILES.txt 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\images\Square310x310Logo.scale-100.png 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3952 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 3092 takeown.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeDebugPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 2688 takeown.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe Token: SeTakeOwnershipPrivilege 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3952 wrote to memory of 4748 3952 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe 90 PID 3952 wrote to memory of 4748 3952 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe 90 PID 3952 wrote to memory of 824 3952 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe 92 PID 3952 wrote to memory of 824 3952 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe 92 PID 3952 wrote to memory of 824 3952 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe 92 PID 3952 wrote to memory of 824 3952 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe 92 PID 3952 wrote to memory of 824 3952 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe 92 PID 3952 wrote to memory of 824 3952 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe 92 PID 3952 wrote to memory of 824 3952 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe 92 PID 3952 wrote to memory of 824 3952 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe 92 PID 3952 wrote to memory of 824 3952 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe 92 PID 3952 wrote to memory of 824 3952 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe 92 PID 4748 wrote to memory of 1872 4748 cmd.exe 93 PID 4748 wrote to memory of 1872 4748 cmd.exe 93 PID 4748 wrote to memory of 3092 4748 cmd.exe 94 PID 4748 wrote to memory of 3092 4748 cmd.exe 94 PID 4748 wrote to memory of 3268 4748 cmd.exe 95 PID 4748 wrote to memory of 3268 4748 cmd.exe 95 PID 4748 wrote to memory of 4456 4748 cmd.exe 96 PID 4748 wrote to memory of 4456 4748 cmd.exe 96 PID 4748 wrote to memory of 1456 4748 cmd.exe 97 PID 4748 wrote to memory of 1456 4748 cmd.exe 97 PID 4748 wrote to memory of 2676 4748 cmd.exe 98 PID 4748 wrote to memory of 2676 4748 cmd.exe 98 PID 4748 wrote to memory of 4356 4748 cmd.exe 99 PID 4748 wrote to memory of 4356 4748 cmd.exe 99 PID 4748 wrote to memory of 3884 4748 cmd.exe 100 PID 4748 wrote to memory of 3884 4748 cmd.exe 100 PID 4748 wrote to memory of 3288 4748 cmd.exe 101 PID 4748 wrote to memory of 3288 4748 cmd.exe 101 PID 4748 wrote to memory of 3860 4748 cmd.exe 102 PID 4748 wrote to memory of 3860 4748 cmd.exe 102 PID 4748 wrote to memory of 4764 4748 cmd.exe 103 PID 4748 wrote to memory of 4764 4748 cmd.exe 103 PID 4748 wrote to memory of 2680 4748 cmd.exe 104 PID 4748 wrote to memory of 2680 4748 cmd.exe 104 PID 4748 wrote to memory of 1568 4748 cmd.exe 105 PID 4748 wrote to memory of 1568 4748 cmd.exe 105 PID 4748 wrote to memory of 3216 4748 cmd.exe 106 PID 4748 wrote to memory of 3216 4748 cmd.exe 106 PID 4748 wrote to memory of 2248 4748 cmd.exe 107 PID 4748 wrote to memory of 2248 4748 cmd.exe 107 PID 4748 wrote to memory of 3028 4748 cmd.exe 108 PID 4748 wrote to memory of 3028 4748 cmd.exe 108 PID 824 wrote to memory of 4952 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe 109 PID 824 wrote to memory of 4952 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe 109 PID 4748 wrote to memory of 3140 4748 cmd.exe 112 PID 4748 wrote to memory of 3140 4748 cmd.exe 112 PID 4748 wrote to memory of 2408 4748 cmd.exe 113 PID 4748 wrote to memory of 2408 4748 cmd.exe 113 PID 824 wrote to memory of 2320 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe 114 PID 824 wrote to memory of 2320 824 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe 114 PID 4952 wrote to memory of 1504 4952 cmd.exe 117 PID 4952 wrote to memory of 1504 4952 cmd.exe 117 PID 2320 wrote to memory of 5088 2320 cmd.exe 119 PID 2320 wrote to memory of 5088 2320 cmd.exe 119 PID 4748 wrote to memory of 2688 4748 cmd.exe 120 PID 4748 wrote to memory of 2688 4748 cmd.exe 120 PID 4748 wrote to memory of 1208 4748 cmd.exe 152 PID 4748 wrote to memory of 1208 4748 cmd.exe 152 PID 4748 wrote to memory of 3428 4748 cmd.exe 122 PID 4748 wrote to memory of 3428 4748 cmd.exe 122 PID 4748 wrote to memory of 1484 4748 cmd.exe 124 PID 4748 wrote to memory of 1484 4748 cmd.exe 124 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" 6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe"C:\Users\Admin\AppData\Local\Temp\6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Kill-Delete.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor" /v "AutoRun" /f3⤵PID:1872
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\system32\cmd.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3268
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\cmd.exe /g Administrators:f3⤵PID:4456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:1456
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\cmd.exe /e /g Users:r3⤵PID:2676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:4356
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\cmd.exe /e /g Administrators:r3⤵PID:3884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3288
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\cmd.exe /e /d SERVICE3⤵PID:3860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:4764
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\cmd.exe /e /d mssqlserver3⤵PID:2680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:1568
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\cmd.exe /e /d "network service"3⤵PID:3216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:2248
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\cmd.exe /e /g system:r3⤵PID:3028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:3140
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\cmd.exe /e /d mssql$sqlexpress3⤵PID:2408
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\cmd.exe /a3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:1208
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\cmd.exe /g Administrators:f3⤵PID:3428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:1484
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /g Users:r3⤵PID:572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:436
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /g Administrators:r3⤵PID:3660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:2580
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /d SERVICE3⤵PID:5020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:1568
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /d mssqlserver3⤵PID:2840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:8
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /d "network service"3⤵PID:2800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:1396
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /g system:r3⤵PID:1496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:2580
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\cmd.exe /e /d mssql$sqlexpress3⤵PID:3732
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\system32\net.exe /a3⤵
- Modifies file permissions
PID:3464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:1420
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\net.exe /g Administrators:f3⤵PID:5092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:4404
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\net.exe /e /g Users:r3⤵PID:5020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:2880
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\net.exe /e /g Administrators:r3⤵PID:4488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:4084
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\net.exe /e /d SERVICE3⤵PID:1568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3848
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\net.exe /e /d mssqlserver3⤵PID:4960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:2040
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\net.exe /e /d "network service"3⤵PID:4848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:1208
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\net.exe /e /d system3⤵PID:428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:3600
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\net.exe /e /d mssql$sqlexpress3⤵PID:4044
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\net.exe /a3⤵
- Modifies file permissions
PID:1636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3336
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\net.exe /g Administrators:f3⤵PID:4180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:1740
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\net.exe /e /g Users:r3⤵PID:2024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:4264
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\net.exe /e /g Administrators:r3⤵PID:1456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3616
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\net.exe /e /d SERVICE3⤵PID:988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3660
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\net.exe /e /d mssqlserver3⤵PID:5068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:2324
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\net.exe /e /d "network service"3⤵PID:4592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:2716
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\net.exe /e /d system3⤵PID:952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:3108
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\net.exe /e /d mssql$sqlexpress3⤵PID:1648
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\system32\net1.exe /a3⤵
- Modifies file permissions
PID:3920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:560
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\net1.exe /g Administrators:f3⤵PID:2984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:4952
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\net1.exe /e /g Users:r3⤵PID:3324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:4812
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\net1.exe /e /g Administrators:r3⤵PID:5000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3776
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\net1.exe /e /d SERVICE3⤵PID:4404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5020
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\net1.exe /e /d mssqlserver3⤵PID:2376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4704
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\net1.exe /e /d "network service"3⤵PID:3828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:2880
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\net1.exe /e /d system3⤵PID:1168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:2168
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\net1.exe /e /d mssql$sqlexpress3⤵PID:3964
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\net1.exe /a3⤵
- Modifies file permissions
PID:2796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3732
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\net1.exe /g Administrators:f3⤵PID:1016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3656
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /g Users:r3⤵PID:4272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:4084
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /g Administrators:r3⤵PID:1184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:2156
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /d SERVICE3⤵PID:4960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:4828
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /d mssqlserver3⤵PID:4848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4852
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /d "network service"3⤵PID:4268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3912
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /d system3⤵PID:3036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:3336
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\net1.exe /e /d mssql$sqlexpress3⤵PID:3840
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\system32\mshta.exe /a3⤵
- Modifies file permissions
PID:3496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3316
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\mshta.exe /g Administrators:f3⤵PID:2308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5092
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\mshta.exe /e /g Users:r3⤵PID:2768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:1200
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\mshta.exe /e /g Administrators:r3⤵PID:2936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5100
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\mshta.exe /e /d SERVICE3⤵PID:3616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3092
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\mshta.exe /e /d mssqlserver3⤵PID:1216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:2320
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\mshta.exe /e /d "network service"3⤵PID:3536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:4264
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\mshta.exe /e /d system3⤵PID:900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:3920
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\mshta.exe /e /d mssql$sqlexpress3⤵PID:2404
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\mshta.exe /a3⤵
- Modifies file permissions
PID:4984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:4628
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\mshta.exe /g Administrators:f3⤵PID:2796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:4804
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /g Users:r3⤵PID:1200
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:4604
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /g Administrators:r3⤵PID:952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:4988
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /d SERVICE3⤵PID:892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:2244
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /d mssqlserver3⤵PID:2336
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:3656
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /d "network service"3⤵PID:1116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:2836
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /d system3⤵PID:3376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:3088
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\mshta.exe /e /d mssql$sqlexpress3⤵PID:4704
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\system32\FTP.exe /a3⤵
- Modifies file permissions
PID:3216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:2680
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\FTP.exe /g Administrators:f3⤵PID:4396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:2616
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\FTP.exe /e /g Users:r3⤵PID:4808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:2308
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\FTP.exe /e /g Administrators:r3⤵PID:3948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:412
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\FTP.exe /e /d SERVICE3⤵PID:2504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:2796
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\FTP.exe /e /d mssqlserver3⤵PID:4084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:1648
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\FTP.exe /e /d "network service"3⤵PID:1660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:412
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\FTP.exe /e /d system3⤵PID:4272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4804
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\FTP.exe /e /d mssql$sqlexpress3⤵PID:1128
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\FTP.exe /a3⤵
- Modifies file permissions
PID:2376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3268
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\FTP.exe /g Administrators:f3⤵PID:4964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:1408
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /g Users:r3⤵PID:412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:1788
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /g Administrators:r3⤵PID:2712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:2368
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /d SERVICE3⤵PID:3420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:4828
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /d mssqlserver3⤵PID:1464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:1484
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /d "network service"3⤵PID:4180
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:872
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /d system3⤵PID:3424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:1864
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\FTP.exe /e /d mssql$sqlexpress3⤵PID:660
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\system32\wscript.exe /a3⤵
- Modifies file permissions
PID:412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:4288
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\wscript.exe /g Administrators:f3⤵PID:1560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:1420
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\wscript.exe /e /g Users:r3⤵PID:2116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3964
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\wscript.exe /e /g Administrators:r3⤵PID:3216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:2640
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\wscript.exe /e /d SERVICE3⤵PID:4936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:1524
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\wscript.exe /e /d mssqlserver3⤵PID:4988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4376
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\wscript.exe /e /d "network service"3⤵PID:720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:464
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\wscript.exe /e /d system3⤵PID:2168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:3464
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\wscript.exe /e /d mssql$sqlexpress3⤵PID:3120
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\wscript.exe /a3⤵
- Modifies file permissions
PID:5032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3828
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\wscript.exe /g Administrators:f3⤵PID:4964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5864
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /g Users:r3⤵PID:2404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5948
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /g Administrators:r3⤵PID:6504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:6080
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /d SERVICE3⤵PID:5536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5860
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /d mssqlserver3⤵PID:6920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:5632
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /d "network service"3⤵PID:6440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5192
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /d system3⤵PID:5536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:6416
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\wscript.exe /e /d mssql$sqlexpress3⤵PID:2916
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\system32\cscript.exe /a3⤵
- Modifies file permissions
PID:6972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:6856
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\cscript.exe /g Administrators:f3⤵PID:4704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:6536
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\cscript.exe /e /g Users:r3⤵PID:6708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5712
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\cscript.exe /e /g Administrators:r3⤵PID:1648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:6084
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\cscript.exe /e /d SERVICE3⤵PID:4904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5736
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\cscript.exe /e /d mssqlserver3⤵PID:6104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:5372
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\cscript.exe /e /d "network service"3⤵PID:5860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3980
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\cscript.exe /e /d system3⤵PID:5856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:5392
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\cscript.exe /e /d mssql$sqlexpress3⤵PID:1392
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\cscript.exe /a3⤵
- Modifies file permissions
PID:6292
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5852
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\cscript.exe /g Administrators:f3⤵PID:6552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3120
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /g Users:r3⤵PID:6248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:6472
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /g Administrators:r3⤵PID:7156
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:7144
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /d SERVICE3⤵PID:6796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:496
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /d mssqlserver3⤵PID:6520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:5284
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /d "network service"3⤵PID:6464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:984
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /d system3⤵PID:3428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:5996
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\cscript.exe /e /d mssql$sqlexpress3⤵PID:6768
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /a3⤵
- Modifies file permissions
PID:2144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:4340
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f3⤵PID:5716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5876
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r3⤵PID:3924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5116
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r3⤵PID:6612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:6792
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE3⤵PID:6432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:4388
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver3⤵PID:4332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:5168
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"3⤵PID:1496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:2468
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d system3⤵PID:6624
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:3524
-
-
C:\Windows\system32\cacls.execacls C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress3⤵PID:3460
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /a3⤵
- Modifies file permissions
PID:5708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5488
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f3⤵PID:5660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:7008
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r3⤵PID:6740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5964
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r3⤵PID:3148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5804
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE3⤵PID:3436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:6396
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssqlserver3⤵PID:1096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4164
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"3⤵PID:2168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5212
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d system3⤵PID:5604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:5684
-
-
C:\Windows\system32\cacls.execacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d mssql$sqlexpress3⤵PID:4372
-
-
C:\Windows\system32\takeown.exetakeown /f C:\ProgramData /a3⤵
- Modifies file permissions
PID:4648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:6036
-
-
C:\Windows\system32\cacls.execacls C:\ProgramData /g Administrators:f3⤵PID:7080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3228
-
-
C:\Windows\system32\cacls.execacls C:\ProgramData /e /g Users:r3⤵PID:5852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5692
-
-
C:\Windows\system32\cacls.execacls C:\ProgramData /e /g Administrators:r3⤵PID:448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5272
-
-
C:\Windows\system32\cacls.execacls C:\ProgramData /e /d SERVICE3⤵PID:3660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3964
-
-
C:\Windows\system32\cacls.execacls C:\ProgramData /e /d mssqlserver3⤵PID:5792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:6352
-
-
C:\Windows\system32\cacls.execacls C:\ProgramData /e /d "network service"3⤵PID:2428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5048
-
-
C:\Windows\system32\cacls.execacls C:\ProgramData /e /d system3⤵PID:1184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:3404
-
-
C:\Windows\system32\cacls.execacls C:\ProgramData /e /d mssql$sqlexpress3⤵PID:3860
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Users\Public /a3⤵
- Modifies file permissions
PID:6264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5896
-
-
C:\Windows\system32\cacls.execacls C:\Users\Public /g Administrators:f3⤵PID:3968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:3324
-
-
C:\Windows\system32\cacls.execacls C:\Users\Public /e /g Users:r3⤵PID:7068
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:6016
-
-
C:\Windows\system32\cacls.execacls C:\Users\Public /e /g Administrators:r3⤵PID:1804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:6716
-
-
C:\Windows\system32\cacls.execacls C:\Users\Public /e /d SERVICE3⤵PID:4964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:1140
-
-
C:\Windows\system32\cacls.execacls C:\Users\Public /e /d mssqlserver3⤵PID:5228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4976
-
-
C:\Windows\system32\cacls.execacls C:\Users\Public /e /d "network service"3⤵PID:1864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵PID:5248
-
-
C:\Windows\system32\cacls.execacls C:\Users\Public /e /d system3⤵PID:4652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:5572
-
-
C:\Windows\system32\cacls.execacls C:\Users\Public /e /d mssql$sqlexpress3⤵PID:4908
-
-
-
C:\Users\Admin\AppData\Local\Temp\6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exeC:\Users\Admin\AppData\Local\Temp\6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe2⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:824 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures3⤵
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\system32\bcdedit.exebcdedit /set {current} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:1504
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\system32\bcdedit.exebcdedit /set {current} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:5088
-
-
-
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:1216
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:412
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Documents and Settings\Admin\Local Settings\Microsoft\CLR_v4.0\UsageLogs\6be2b4ae091e170fe4a53519a01feb229c2062f0da39923f628cf764c10e4b5c.exe.log
Filesize1KB
MD5fac41a8308a561a86639adc2dfebd1c3
SHA1b466c4e8a8da5b44885253314372805c53ce47d3
SHA256802adfe0fb1be8767dbcef51f219b6776a52adca29fb9fa65205f924bf18f804
SHA51287216cf5462cda0f9cda2c3b44049ec3889d0be68fb0f0682bc9f17ffb654afa8f626270e5078fcff6c8a9ea930e9b69dc21a4d3c48ad020b83d60655484405e
-
Filesize
10KB
MD51726416850d3bba46eeb804fae57083d
SHA17e7957d7e7fd7c27b9fb903a0828b09cbb44c196
SHA256c207a7a561ab726fb272b5abd99c4da8e927b5da788210d5dd186023c2783990
SHA5127747e5c6bd77a43ee958cb7b533a73757e8bfb7b3706af4eb7ec9a99458720f89cd30bb23b4cb069826dc36a6ce737424ad0007307be67a7391591f6c936df27
-
Filesize
1KB
MD52dfeb45e8b38866f8270ecdea4f98a50
SHA19683291a8d3aff7e6a961b36092be1ca66968118
SHA256406fa96d9673db662558aac2f8a112d5e1129b3837ece025b45bbf1fec5a8204
SHA51272d659e946181f6e71e14214ae738c98f53792e4d22f0e755b4b2eb845abbad7aa4a1191ccb45c34cc6840af9656652fbf8ffce92e797ef26efbb1b4ace082cc