f1ec5fe994afb650c98ea558f8260df110ce938423da0a1be5b1f84359c13ee6

Analysis

max time kernel
25s
max time network
26s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 22:40

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe
Size

665KB
MD5

acdf00bc189999d54270c64f59f7ad8d
SHA1

5fda8ba8ae40bd3c7711ff7eba54b1a780f83f3c
SHA256

f1ec5fe994afb650c98ea558f8260df110ce938423da0a1be5b1f84359c13ee6
SHA512

bd104ae410ae7504a19f88ca9ebbcee0c1e7310630f46a07f5f592f5055e6b46477ff53e3ad3f0a8a04f2cbd02014665fa352499edd69468d91371b47e229def
SSDEEP

12288:k1MX89GjRX3rtCqHTNSXoSmDV7QFfb1On4xLIuWV355FXw/+e4wCu+2GV35MwH:6Ms9mRXbnNS/IuWV355FXw/+e4wCu+2W

Score

9^/10

discovery evasion exploit ransomware upx

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
784	bcdedit.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe

Possible privilege escalation attempt 57 IoCs

exploit

pid	Process
2996	takeown.exe
2184	icacls.exe
2772	takeown.exe
952	takeown.exe
2300	icacls.exe
2616	takeown.exe
2780	icacls.exe
2160	icacls.exe
2588	icacls.exe
588	icacls.exe
2492	takeown.exe
2116	icacls.exe
2332	takeown.exe
616	icacls.exe
608	icacls.exe
1468	icacls.exe
2544	icacls.exe
2592	icacls.exe
2764	takeown.exe
2968	icacls.exe
328	icacls.exe
1644	takeown.exe
2720	takeown.exe
1048	takeown.exe
1000	takeown.exe
2424	takeown.exe
1980	icacls.exe
900	takeown.exe
672	takeown.exe
500	icacls.exe
2584	icacls.exe
1080	takeown.exe
2216	takeown.exe
2988	icacls.exe
2712	takeown.exe
1640	icacls.exe
2892	takeown.exe
2420	takeown.exe
1540	icacls.exe
1740	takeown.exe
2280	icacls.exe
1112	icacls.exe
1884	takeown.exe
1580	icacls.exe
1676	takeown.exe
2396	takeown.exe
2688	takeown.exe
2536	takeown.exe
2412	icacls.exe
2532	icacls.exe
1360	takeown.exe
740	icacls.exe
1944	icacls.exe
2720	icacls.exe
2104	icacls.exe
2092	takeown.exe
1464	takeown.exe

Modifies file permissions 1 TTPs 57 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2184	icacls.exe
2412	icacls.exe
2280	icacls.exe
1468	icacls.exe
1080	takeown.exe
952	takeown.exe
2616	takeown.exe
1644	takeown.exe
2532	icacls.exe
2892	takeown.exe
2424	takeown.exe
2300	icacls.exe
2780	icacls.exe
2544	icacls.exe
2688	takeown.exe
2764	takeown.exe
2116	icacls.exe
2492	takeown.exe
1112	icacls.exe
608	icacls.exe
740	icacls.exe
1000	takeown.exe
2772	takeown.exe
1540	icacls.exe
500	icacls.exe
2536	takeown.exe
1360	takeown.exe
588	icacls.exe
2968	icacls.exe
2216	takeown.exe
1884	takeown.exe
1640	icacls.exe
2720	takeown.exe
2584	icacls.exe
1980	icacls.exe
1464	takeown.exe
1048	takeown.exe
1676	takeown.exe
1944	icacls.exe
2720	icacls.exe
2588	icacls.exe
2996	takeown.exe
2712	takeown.exe
328	icacls.exe
2104	icacls.exe
2988	icacls.exe
2332	takeown.exe
2592	icacls.exe
900	takeown.exe
2420	takeown.exe
1580	icacls.exe
616	icacls.exe
1740	takeown.exe
672	takeown.exe
2092	takeown.exe
2396	takeown.exe
2160	icacls.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2312-0-0x0000000000400000-0x000000000058A000-memory.dmp	upx
behavioral1/memory/2312-75-0x0000000000400000-0x000000000058A000-memory.dmp	upx
behavioral1/memory/2312-88-0x0000000000400000-0x000000000058A000-memory.dmp	upx

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1612	sc.exe
1740	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBS	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile"	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2692	reg.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2688	takeown.exe
Token: SeTakeOwnershipPrivilege	2536	takeown.exe
Token: SeTakeOwnershipPrivilege	2996	takeown.exe
Token: SeTakeOwnershipPrivilege	1360	takeown.exe
Token: SeTakeOwnershipPrivilege	1740	takeown.exe
Token: SeTakeOwnershipPrivilege	2764	takeown.exe
Token: SeTakeOwnershipPrivilege	2712	takeown.exe
Token: SeTakeOwnershipPrivilege	2424	takeown.exe
Token: SeTakeOwnershipPrivilege	1080	takeown.exe
Token: SeTakeOwnershipPrivilege	2216	takeown.exe
Token: SeTakeOwnershipPrivilege	2492	takeown.exe
Token: SeTakeOwnershipPrivilege	952	takeown.exe
Token: SeTakeOwnershipPrivilege	1884	takeown.exe
Token: SeTakeOwnershipPrivilege	1644	takeown.exe
Token: SeTakeOwnershipPrivilege	2420	takeown.exe
Token: SeTakeOwnershipPrivilege	900	takeown.exe
Token: SeTakeOwnershipPrivilege	1464	takeown.exe
Token: SeTakeOwnershipPrivilege	1048	takeown.exe
Token: SeTakeOwnershipPrivilege	2332	takeown.exe
Token: SeTakeOwnershipPrivilege	1676	takeown.exe
Token: SeTakeOwnershipPrivilege	1000	takeown.exe
Token: SeTakeOwnershipPrivilege	2396	takeown.exe
Token: SeTakeOwnershipPrivilege	2092	takeown.exe
Token: SeTakeOwnershipPrivilege	2772	takeown.exe
Token: SeTakeOwnershipPrivilege	2616	takeown.exe
Token: SeTakeOwnershipPrivilege	2892	takeown.exe
Token: SeShutdownPrivilege	320	shutdown.exe
Token: SeRemoteShutdownPrivilege	320	shutdown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2884	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	31
PID 2312 wrote to memory of 2884	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	31
PID 2312 wrote to memory of 2884	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	31
PID 2312 wrote to memory of 2884	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	31
PID 2312 wrote to memory of 3056	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	32
PID 2312 wrote to memory of 3056	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	32
PID 2312 wrote to memory of 3056	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	32
PID 2312 wrote to memory of 3056	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	32
PID 2312 wrote to memory of 2100	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	33
PID 2312 wrote to memory of 2100	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	33
PID 2312 wrote to memory of 2100	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	33
PID 2312 wrote to memory of 2100	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	33
PID 2100 wrote to memory of 1912	2100	cmd.exe	34
PID 2100 wrote to memory of 1912	2100	cmd.exe	34
PID 2100 wrote to memory of 1912	2100	cmd.exe	34
PID 2312 wrote to memory of 2128	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	36
PID 2312 wrote to memory of 2128	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	36
PID 2312 wrote to memory of 2128	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	36
PID 2312 wrote to memory of 2128	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	36
PID 2128 wrote to memory of 2892	2128	cmd.exe	37
PID 2128 wrote to memory of 2892	2128	cmd.exe	37
PID 2128 wrote to memory of 2892	2128	cmd.exe	37
PID 2892 wrote to memory of 2640	2892	net.exe	38
PID 2892 wrote to memory of 2640	2892	net.exe	38
PID 2892 wrote to memory of 2640	2892	net.exe	38
PID 2312 wrote to memory of 2700	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	39
PID 2312 wrote to memory of 2700	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	39
PID 2312 wrote to memory of 2700	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	39
PID 2312 wrote to memory of 2700	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	39
PID 2700 wrote to memory of 2548	2700	cmd.exe	40
PID 2700 wrote to memory of 2548	2700	cmd.exe	40
PID 2700 wrote to memory of 2548	2700	cmd.exe	40
PID 2548 wrote to memory of 2552	2548	net.exe	41
PID 2548 wrote to memory of 2552	2548	net.exe	41
PID 2548 wrote to memory of 2552	2548	net.exe	41
PID 2312 wrote to memory of 2704	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	42
PID 2312 wrote to memory of 2704	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	42
PID 2312 wrote to memory of 2704	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	42
PID 2312 wrote to memory of 2704	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	42
PID 2704 wrote to memory of 2688	2704	cmd.exe	43
PID 2704 wrote to memory of 2688	2704	cmd.exe	43
PID 2704 wrote to memory of 2688	2704	cmd.exe	43
PID 2312 wrote to memory of 2572	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	44
PID 2312 wrote to memory of 2572	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	44
PID 2312 wrote to memory of 2572	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	44
PID 2312 wrote to memory of 2572	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	44
PID 2572 wrote to memory of 2720	2572	cmd.exe	45
PID 2572 wrote to memory of 2720	2572	cmd.exe	45
PID 2572 wrote to memory of 2720	2572	cmd.exe	45
PID 2312 wrote to memory of 2580	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	46
PID 2312 wrote to memory of 2580	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	46
PID 2312 wrote to memory of 2580	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	46
PID 2312 wrote to memory of 2580	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	46
PID 2312 wrote to memory of 2528	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	47
PID 2312 wrote to memory of 2528	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	47
PID 2312 wrote to memory of 2528	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	47
PID 2312 wrote to memory of 2528	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	47
PID 2528 wrote to memory of 2536	2528	cmd.exe	48
PID 2528 wrote to memory of 2536	2528	cmd.exe	48
PID 2528 wrote to memory of 2536	2528	cmd.exe	48
PID 2312 wrote to memory of 2556	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	49
PID 2312 wrote to memory of 2556	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	49
PID 2312 wrote to memory of 2556	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	49
PID 2312 wrote to memory of 2556	2312	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\system32\slmgr.vbs.removewat slmgr.vbs 2>NUL>NUL"
  2⤵
  PID:2884
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\SysWOW64\slmgr.vbs.removewat slmgr.vbs 2>NUL>NUL"
  2⤵
  PID:3056
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "cscript.exe //nologo %SystemRoot%\SysWOW64\slmgr.vbs -rilc 2>NUL>NUL"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\system32\cscript.exe
    cscript.exe //nologo C:\Windows\SysWOW64\slmgr.vbs -rilc
    3⤵
    PID:1912
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "net stop sppsvc 2>NUL>NUL"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\system32\net.exe
    net stop sppsvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sppsvc
      4⤵
      PID:2640
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "net stop sppuinotify 2>NUL>NUL"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\system32\net.exe
    net stop sppuinotify
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sppuinotify
      4⤵
      PID:2552
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\slmgr.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\slmgr.vbs
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\slmgr.vbs /grant *S-1-1-0:F"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\SysWOW64\slmgr.vbs /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2720
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\SysWOW64\slmgr.vbs slmgr.vbs.oxvac"
  2⤵
  PID:2580
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\user32.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\user32.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2536
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\user32.dll /grant *S-1-1-0:F"
  2⤵
  PID:2556
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\SysWOW64\user32.dll /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2588
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\SysWOW64\user32.dll user32.dll.oxvac"
  2⤵
  PID:2644
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\slwga.dll"
  2⤵
  PID:1592
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\slwga.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2996
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\slwga.dll /grant *S-1-1-0:F"
  2⤵
  PID:1988
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\SysWOW64\slwga.dll /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2184
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\SysWOW64\slwga.dll slwga.dll.oxvac"
  2⤵
  PID:500
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\sppcomapi.dll"
  2⤵
  PID:3012
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\sppcomapi.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1360
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\sppcomapi.dll /grant *S-1-1-0:F"
  2⤵
  PID:1500
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\SysWOW64\sppcomapi.dll /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:588
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\SysWOW64\sppcomapi.dll sppcomapi.dll.oxvac"
  2⤵
  PID:2756
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\sppcommdlg.dll"
  2⤵
  PID:1764
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\sppcommdlg.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1740
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\sppcommdlg.dll /grant *S-1-1-0:F"
  2⤵
  PID:2848
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\SysWOW64\sppcommdlg.dll /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2592
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\SysWOW64\sppcommdlg.dll sppcommdlg.dll.oxvac"
  2⤵
  PID:2868
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\sppuinotify.dll"
  2⤵
  PID:2964
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\sppuinotify.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2764
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\sppuinotify.dll /grant *S-1-1-0:F"
  2⤵
  PID:488
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\SysWOW64\sppuinotify.dll /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2584
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\SysWOW64\sppuinotify.dll sppuinotify.dll.oxvac"
  2⤵
  PID:2800
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\sppwmi.dll"
  2⤵
  PID:2624
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\sppwmi.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\sppwmi.dll /grant *S-1-1-0:F"
  2⤵
  PID:2340
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\SysWOW64\sppwmi.dll /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2412
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\SysWOW64\sppwmi.dll sppwmi.dll.oxvac"
  2⤵
  PID:1136
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\systemcpl.dll"
  2⤵
  PID:1408
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\systemcpl.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2424
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\systemcpl.dll /grant *S-1-1-0:F"
  2⤵
  PID:2040
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\SysWOW64\systemcpl.dll /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2968
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\SysWOW64\systemcpl.dll systemcpl.dll.oxvac"
  2⤵
  PID:2876
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\winlogon.exe"
  2⤵
  PID:2984
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\winlogon.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1080
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\winlogon.exe /grant *S-1-1-0:F"
  2⤵
  PID:992
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\SysWOW64\winlogon.exe /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1980
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\SysWOW64\winlogon.exe winlogon.exe.oxvac"
  2⤵
  PID:760
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\winver.exe"
  2⤵
  PID:540
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\winver.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2216
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\winver.exe /grant *S-1-1-0:F"
  2⤵
  PID:320
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\SysWOW64\winver.exe /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:328
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\SysWOW64\winver.exe winver.exe.oxvac"
  2⤵
  PID:1156
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\slui.exe"
  2⤵
  PID:1728
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\slui.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2492
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\slui.exe /grant *S-1-1-0:F"
  2⤵
  PID:2112
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\SysWOW64\slui.exe /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2104
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\SysWOW64\slui.exe slui.exe.oxvac"
  2⤵
  PID:2096
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\ntkrnlpa.exe"
  2⤵
  PID:1388
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\ntkrnlpa.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:952
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\ntkrnlpa.exe /grant *S-1-1-0:F"
  2⤵
  PID:2068
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\SysWOW64\ntkrnlpa.exe /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2300
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\SysWOW64\ntkrnlpa.exe ntkrnlpa.exe.oxvac"
  2⤵
  PID:2156
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\ntoskrnl.exe"
  2⤵
  PID:2508
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\ntoskrnl.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1884
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\ntoskrnl.exe /grant *S-1-1-0:F"
  2⤵
  PID:1116
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\SysWOW64\ntoskrnl.exe /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2280
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\SysWOW64\ntoskrnl.exe ntoskrnl.exe.oxvac"
  2⤵
  PID:1888
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\Wat\*"
  2⤵
  PID:2144
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\Wat\*
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:672
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\Wat\* /grant *S-1-1-0:F"
  2⤵
  PID:872
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\SysWOW64\Wat\* /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2988
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\system32\slmgr.vbs"
  2⤵
  PID:2856
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\slmgr.vbs
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1644
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\system32\slmgr.vbs /grant *S-1-1-0:F"
  2⤵
  PID:444
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\system32\slmgr.vbs /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1112
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\system32\slmgr.vbs slmgr.vbs.oxvac"
  2⤵
  PID:2948
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\system32\user32.dll"
  2⤵
  PID:2028
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\user32.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2420
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\system32\user32.dll /grant *S-1-1-0:F"
  2⤵
  PID:1260
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\system32\user32.dll /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1540
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\system32\user32.dll user32.dll.oxvac"
  2⤵
  PID:2344
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\system32\slwga.dll"
  2⤵
  PID:1108
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\slwga.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:900
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\system32\slwga.dll /grant *S-1-1-0:F"
  2⤵
  PID:1668
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\system32\slwga.dll /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:608
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\system32\slwga.dll slwga.dll.oxvac"
  2⤵
  PID:1848
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\system32\sppcomapi.dll"
  2⤵
  PID:1508
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\sppcomapi.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1464
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\system32\sppcomapi.dll /grant *S-1-1-0:F"
  2⤵
  PID:1460
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\system32\sppcomapi.dll /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:740
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\system32\sppcomapi.dll sppcomapi.dll.oxvac"
  2⤵
  PID:2024
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\system32\sppcommdlg.dll"
  2⤵
  PID:2060
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\sppcommdlg.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1048
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\system32\sppcommdlg.dll /grant *S-1-1-0:F"
  2⤵
  PID:1976
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\system32\sppcommdlg.dll /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2116
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\system32\sppcommdlg.dll sppcommdlg.dll.oxvac"
  2⤵
  PID:2392
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\system32\sppuinotify.dll"
  2⤵
  PID:2440
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\sppuinotify.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2332
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\system32\sppuinotify.dll /grant *S-1-1-0:F"
  2⤵
  PID:2364
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\system32\sppuinotify.dll /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1468
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\system32\sppuinotify.dll sppuinotify.dll.oxvac"
  2⤵
  PID:1852
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\system32\sppwmi.dll"
  2⤵
  PID:1652
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\sppwmi.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1676
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\system32\sppwmi.dll /grant *S-1-1-0:F"
  2⤵
  PID:988
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\system32\sppwmi.dll /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1640
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\system32\sppwmi.dll sppwmi.dll.oxvac"
  2⤵
  PID:1480
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\system32\systemcpl.dll"
  2⤵
  PID:1968
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\systemcpl.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1000
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\system32\systemcpl.dll /grant *S-1-1-0:F"
  2⤵
  PID:1788
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\system32\systemcpl.dll /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1580
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\system32\systemcpl.dll systemcpl.dll.oxvac"
  2⤵
  PID:2220
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\system32\winlogon.exe"
  2⤵
  PID:1708
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\winlogon.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2396
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\system32\winlogon.exe /grant *S-1-1-0:F"
  2⤵
  PID:896
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\system32\winlogon.exe /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1944
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\system32\winlogon.exe winlogon.exe.oxvac"
  2⤵
  PID:2196
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\system32\winver.exe"
  2⤵
  PID:1524
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\winver.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2092
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\system32\winver.exe /grant *S-1-1-0:F"
  2⤵
  PID:2940
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\system32\winver.exe /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:616
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\system32\winver.exe winver.exe.oxvac"
  2⤵
  PID:2080
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\system32\slui.exe"
  2⤵
  PID:1784
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\slui.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2772
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\system32\slui.exe /grant *S-1-1-0:F"
  2⤵
  PID:2228
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\system32\slui.exe /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2532
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\system32\slui.exe slui.exe.oxvac"
  2⤵
  PID:2632
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\system32\ntkrnlpa.exe"
  2⤵
  PID:2188
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\ntkrnlpa.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\system32\ntkrnlpa.exe /grant *S-1-1-0:F"
  2⤵
  PID:2020
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\system32\ntkrnlpa.exe /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2780
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\system32\ntkrnlpa.exe ntkrnlpa.exe.oxvac"
  2⤵
  PID:2812
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\system32\ntoskrnl.exe"
  2⤵
  PID:2640
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\ntoskrnl.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2892
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\system32\ntoskrnl.exe /grant *S-1-1-0:F"
  2⤵
  PID:3024
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\system32\ntoskrnl.exe /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2160
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\system32\ntoskrnl.exe ntoskrnl.exe.oxvac"
  2⤵
  PID:2660
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\system32\Wat\*"
  2⤵
  PID:1548
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\Wat\*
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2720
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\system32\Wat\* /grant *S-1-1-0:F"
  2⤵
  PID:2580
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\system32\Wat\* /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2544
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "rmdir /s /q %ALLUSERSPROFILE%\Microsoft\Windows\RAI 2>NUL>NUL"
  2⤵
  PID:2600
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "reg delete HKLM\SOFTWARE\HAL7600 /f 2>NUL>NUL"
  2⤵
  PID:2556
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\HAL7600 /f
    3⤵
    - Modifies registry key
    PID:2692
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "schtasks.exe /delete /tn \Microsoft\Windows\RAI\RaiTask /f 2>NUL>NUL"
  2⤵
  PID:3004
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /delete /tn \Microsoft\Windows\RAI\RaiTask /f
    3⤵
    PID:2996
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\servicing\TrustedInstaller.exe /grant *S-1-1-0:F"
  2⤵
  PID:2184
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\servicing\TrustedInstaller.exe /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:500
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "bcdedit.exe -set testsigning off 2>NUL>NUL"
  2⤵
  PID:3012
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe -set testsigning off
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:784
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "sc config sppsvc start= delayed-auto 2>NUL>NUL"
  2⤵
  PID:1500
- - C:\Windows\system32\sc.exe
    sc config sppsvc start= delayed-auto
    3⤵
    - Launches sc.exe
    PID:1612
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "sc config sppuinotify start= demand 2>NUL>NUL"
  2⤵
  PID:1060
- - C:\Windows\system32\sc.exe
    sc config sppuinotify start= demand
    3⤵
    - Launches sc.exe
    PID:1740
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "net start sppsvc 2>NUL>NUL"
  2⤵
  PID:2828
- - C:\Windows\system32\net.exe
    net start sppsvc
    3⤵
    PID:2852
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start sppsvc
      4⤵
      PID:2260
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "net start sppuinotify 2>NUL>NUL"
  2⤵
  PID:948
- - C:\Windows\system32\net.exe
    net start sppuinotify
    3⤵
    PID:1940
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start sppuinotify
      4⤵
      PID:2412
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "NET START "Windows Modules Installer" 2>NUL>NUL"
  2⤵
  PID:1408
- - C:\Windows\system32\net.exe
    NET START "Windows Modules Installer"
    3⤵
    PID:2992
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 START "Windows Modules Installer"
      4⤵
      PID:2968
- C:\Windows\System32\sfc.exe
  /scannow
  2⤵
  PID:2876
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /A /C "shutdown -r -t 0"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:328
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown -r -t 0
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:320

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2192

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact