f1ec5fe994afb650c98ea558f8260df110ce938423da0a1be5b1f84359c13ee6

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe
Size

665KB
MD5

acdf00bc189999d54270c64f59f7ad8d
SHA1

5fda8ba8ae40bd3c7711ff7eba54b1a780f83f3c
SHA256

f1ec5fe994afb650c98ea558f8260df110ce938423da0a1be5b1f84359c13ee6
SHA512

bd104ae410ae7504a19f88ca9ebbcee0c1e7310630f46a07f5f592f5055e6b46477ff53e3ad3f0a8a04f2cbd02014665fa352499edd69468d91371b47e229def
SSDEEP

12288:k1MX89GjRX3rtCqHTNSXoSmDV7QFfb1On4xLIuWV355FXw/+e4wCu+2GV35MwH:6Ms9mRXbnNS/IuWV355FXw/+e4wCu+2W

Score

9^/10

discovery evasion exploit ransomware upx

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1004	bcdedit.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe

Possible privilege escalation attempt 57 IoCs

exploit

pid	Process
716	takeown.exe
4332	takeown.exe
2024	icacls.exe
528	takeown.exe
3740	icacls.exe
4788	icacls.exe
3116	takeown.exe
2256	icacls.exe
4840	takeown.exe
3236	icacls.exe
2588	icacls.exe
3900	icacls.exe
5024	icacls.exe
4920	icacls.exe
3304	icacls.exe
3880	takeown.exe
4828	takeown.exe
764	takeown.exe
1788	takeown.exe
4292	takeown.exe
5072	icacls.exe
2700	icacls.exe
4360	takeown.exe
3324	icacls.exe
3936	takeown.exe
2308	icacls.exe
3300	takeown.exe
4168	takeown.exe
800	takeown.exe
1812	takeown.exe
1236	takeown.exe
2316	takeown.exe
3608	takeown.exe
3376	takeown.exe
1844	icacls.exe
892	takeown.exe
2944	takeown.exe
4632	icacls.exe
3380	icacls.exe
4388	icacls.exe
4324	icacls.exe
436	takeown.exe
3420	icacls.exe
2864	takeown.exe
4668	takeown.exe
3188	icacls.exe
3960	icacls.exe
3488	takeown.exe
4224	icacls.exe
4144	icacls.exe
1972	takeown.exe
3496	takeown.exe
2712	icacls.exe
920	icacls.exe
4356	icacls.exe
3800	icacls.exe
1548	icacls.exe

Modifies file permissions 1 TTPs 57 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2588	icacls.exe
3304	icacls.exe
4356	icacls.exe
2316	takeown.exe
3900	icacls.exe
3496	takeown.exe
2024	icacls.exe
920	icacls.exe
3936	takeown.exe
4668	takeown.exe
3236	icacls.exe
2864	takeown.exe
2700	icacls.exe
3188	icacls.exe
3116	takeown.exe
2712	icacls.exe
1236	takeown.exe
4360	takeown.exe
2256	icacls.exe
5024	icacls.exe
3488	takeown.exe
1812	takeown.exe
2944	takeown.exe
4788	icacls.exe
528	takeown.exe
4292	takeown.exe
4920	icacls.exe
5072	icacls.exe
3324	icacls.exe
1844	icacls.exe
3380	icacls.exe
764	takeown.exe
4332	takeown.exe
3800	icacls.exe
800	takeown.exe
4324	icacls.exe
3420	icacls.exe
2308	icacls.exe
4632	icacls.exe
4144	icacls.exe
3300	takeown.exe
3376	takeown.exe
4828	takeown.exe
3740	icacls.exe
4224	icacls.exe
436	takeown.exe
892	takeown.exe
716	takeown.exe
3880	takeown.exe
1788	takeown.exe
1548	icacls.exe
4388	icacls.exe
3960	icacls.exe
4840	takeown.exe
1972	takeown.exe
3608	takeown.exe
4168	takeown.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4816-0-0x0000000000400000-0x000000000058A000-memory.dmp	upx
behavioral2/memory/4816-18-0x0000000000400000-0x000000000058A000-memory.dmp	upx
behavioral2/memory/4816-20-0x0000000000400000-0x000000000058A000-memory.dmp	upx
behavioral2/memory/4816-22-0x0000000000400000-0x000000000058A000-memory.dmp	upx
behavioral2/memory/4816-24-0x0000000000400000-0x000000000058A000-memory.dmp	upx
behavioral2/memory/4816-26-0x0000000000400000-0x000000000058A000-memory.dmp	upx
behavioral2/memory/4816-28-0x0000000000400000-0x000000000058A000-memory.dmp	upx
behavioral2/memory/4816-30-0x0000000000400000-0x000000000058A000-memory.dmp	upx
behavioral2/memory/4816-32-0x0000000000400000-0x000000000058A000-memory.dmp	upx
behavioral2/memory/4816-34-0x0000000000400000-0x000000000058A000-memory.dmp	upx
behavioral2/memory/4816-36-0x0000000000400000-0x000000000058A000-memory.dmp	upx
behavioral2/memory/4816-38-0x0000000000400000-0x000000000058A000-memory.dmp	upx
behavioral2/memory/4816-40-0x0000000000400000-0x000000000058A000-memory.dmp	upx
behavioral2/memory/4816-42-0x0000000000400000-0x000000000058A000-memory.dmp	upx
behavioral2/memory/4816-44-0x0000000000400000-0x000000000058A000-memory.dmp	upx

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3440	sc.exe
2588	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBS	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile"	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1600	reg.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	436	takeown.exe
Token: SeTakeOwnershipPrivilege	3376	takeown.exe
Token: SeTakeOwnershipPrivilege	4828	takeown.exe
Token: SeTakeOwnershipPrivilege	4840	takeown.exe
Token: SeTakeOwnershipPrivilege	528	takeown.exe
Token: SeTakeOwnershipPrivilege	4292	takeown.exe
Token: SeTakeOwnershipPrivilege	3488	takeown.exe
Token: SeTakeOwnershipPrivilege	1812	takeown.exe
Token: SeTakeOwnershipPrivilege	2944	takeown.exe
Token: SeTakeOwnershipPrivilege	1236	takeown.exe
Token: SeTakeOwnershipPrivilege	3936	takeown.exe
Token: SeTakeOwnershipPrivilege	1972	takeown.exe
Token: SeTakeOwnershipPrivilege	764	takeown.exe
Token: SeTakeOwnershipPrivilege	3300	takeown.exe
Token: SeTakeOwnershipPrivilege	2864	takeown.exe
Token: SeTakeOwnershipPrivilege	4168	takeown.exe
Token: SeTakeOwnershipPrivilege	3608	takeown.exe
Token: SeTakeOwnershipPrivilege	4668	takeown.exe
Token: SeTakeOwnershipPrivilege	3116	takeown.exe
Token: SeTakeOwnershipPrivilege	4360	takeown.exe
Token: SeTakeOwnershipPrivilege	892	takeown.exe
Token: SeTakeOwnershipPrivilege	800	takeown.exe
Token: SeTakeOwnershipPrivilege	3880	takeown.exe
Token: SeTakeOwnershipPrivilege	1788	takeown.exe
Token: SeTakeOwnershipPrivilege	3496	takeown.exe
Token: SeTakeOwnershipPrivilege	4332	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 4928	4816	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	84
PID 4816 wrote to memory of 4928	4816	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	84
PID 4816 wrote to memory of 1128	4816	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	85
PID 4816 wrote to memory of 1128	4816	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	85
PID 4816 wrote to memory of 1408	4816	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	86
PID 4816 wrote to memory of 1408	4816	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	86
PID 1408 wrote to memory of 940	1408	cmd.exe	87
PID 1408 wrote to memory of 940	1408	cmd.exe	87
PID 4816 wrote to memory of 3796	4816	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	98
PID 4816 wrote to memory of 3796	4816	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	98
PID 3796 wrote to memory of 880	3796	cmd.exe	99
PID 3796 wrote to memory of 880	3796	cmd.exe	99
PID 880 wrote to memory of 1192	880	net.exe	100
PID 880 wrote to memory of 1192	880	net.exe	100
PID 4816 wrote to memory of 3148	4816	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	104
PID 4816 wrote to memory of 3148	4816	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	104
PID 3148 wrote to memory of 2384	3148	cmd.exe	105
PID 3148 wrote to memory of 2384	3148	cmd.exe	105
PID 2384 wrote to memory of 2264	2384	net.exe	106
PID 2384 wrote to memory of 2264	2384	net.exe	106
PID 4816 wrote to memory of 3468	4816	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	107
PID 4816 wrote to memory of 3468	4816	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	107
PID 3468 wrote to memory of 436	3468	cmd.exe	108
PID 3468 wrote to memory of 436	3468	cmd.exe	108
PID 4816 wrote to memory of 2648	4816	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	109
PID 4816 wrote to memory of 2648	4816	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	109
PID 2648 wrote to memory of 3960	2648	cmd.exe	110
PID 2648 wrote to memory of 3960	2648	cmd.exe	110
PID 4816 wrote to memory of 4832	4816	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	111
PID 4816 wrote to memory of 4832	4816	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	111
PID 4816 wrote to memory of 4884	4816	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	112
PID 4816 wrote to memory of 4884	4816	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	112
PID 4884 wrote to memory of 3376	4884	cmd.exe	113
PID 4884 wrote to memory of 3376	4884	cmd.exe	113
PID 4816 wrote to memory of 1096	4816	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	114
PID 4816 wrote to memory of 1096	4816	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	114
PID 1096 wrote to memory of 2712	1096	cmd.exe	115
PID 1096 wrote to memory of 2712	1096	cmd.exe	115
PID 4816 wrote to memory of 3928	4816	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	116
PID 4816 wrote to memory of 3928	4816	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	116
PID 4816 wrote to memory of 2184	4816	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	117
PID 4816 wrote to memory of 2184	4816	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	117
PID 2184 wrote to memory of 4828	2184	cmd.exe	118
PID 2184 wrote to memory of 4828	2184	cmd.exe	118
PID 4816 wrote to memory of 4436	4816	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	119
PID 4816 wrote to memory of 4436	4816	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	119
PID 4436 wrote to memory of 2588	4436	cmd.exe	120
PID 4436 wrote to memory of 2588	4436	cmd.exe	120
PID 4816 wrote to memory of 1144	4816	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	121
PID 4816 wrote to memory of 1144	4816	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	121
PID 4816 wrote to memory of 2312	4816	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	122
PID 4816 wrote to memory of 2312	4816	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	122
PID 2312 wrote to memory of 4840	2312	cmd.exe	123
PID 2312 wrote to memory of 4840	2312	cmd.exe	123
PID 4816 wrote to memory of 2748	4816	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	124
PID 4816 wrote to memory of 2748	4816	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	124
PID 2748 wrote to memory of 920	2748	cmd.exe	125
PID 2748 wrote to memory of 920	2748	cmd.exe	125
PID 4816 wrote to memory of 1060	4816	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	126
PID 4816 wrote to memory of 1060	4816	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	126
PID 4816 wrote to memory of 3060	4816	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	127
PID 4816 wrote to memory of 3060	4816	acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe	127
PID 3060 wrote to memory of 528	3060	cmd.exe	128
PID 3060 wrote to memory of 528	3060	cmd.exe	128

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\acdf00bc189999d54270c64f59f7ad8d_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\system32\slmgr.vbs.removewat slmgr.vbs 2>NUL>NUL"
  2⤵
  PID:4928
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\SysWOW64\slmgr.vbs.removewat slmgr.vbs 2>NUL>NUL"
  2⤵
  PID:1128
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "cscript.exe //nologo %SystemRoot%\SysWOW64\slmgr.vbs -rilc 2>NUL>NUL"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Windows\system32\cscript.exe
    cscript.exe //nologo C:\Windows\SysWOW64\slmgr.vbs -rilc
    3⤵
    PID:940
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "net stop sppsvc 2>NUL>NUL"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3796
- - C:\Windows\system32\net.exe
    net stop sppsvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:880
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sppsvc
      4⤵
      PID:1192
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "net stop sppuinotify 2>NUL>NUL"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3148
- - C:\Windows\system32\net.exe
    net stop sppuinotify
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sppuinotify
      4⤵
      PID:2264
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\slmgr.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\slmgr.vbs
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:436
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\slmgr.vbs /grant *S-1-1-0:F"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\SysWOW64\slmgr.vbs /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3960
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\SysWOW64\slmgr.vbs slmgr.vbs.ksbuq"
  2⤵
  PID:4832
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\user32.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\user32.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3376
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\user32.dll /grant *S-1-1-0:F"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\SysWOW64\user32.dll /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2712
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\SysWOW64\user32.dll user32.dll.ksbuq"
  2⤵
  PID:3928
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\slwga.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\slwga.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4828
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\slwga.dll /grant *S-1-1-0:F"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\SysWOW64\slwga.dll /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2588
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\SysWOW64\slwga.dll slwga.dll.ksbuq"
  2⤵
  PID:1144
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\sppcomapi.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\sppcomapi.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4840
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\sppcomapi.dll /grant *S-1-1-0:F"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\SysWOW64\sppcomapi.dll /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:920
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\SysWOW64\sppcomapi.dll sppcomapi.dll.ksbuq"
  2⤵
  PID:1060
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\sppcommdlg.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\sppcommdlg.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:528
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\sppcommdlg.dll /grant *S-1-1-0:F"
  2⤵
  PID:1936
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\SysWOW64\sppcommdlg.dll /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3420
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\SysWOW64\sppcommdlg.dll sppcommdlg.dll.ksbuq"
  2⤵
  PID:3228
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\sppuinotify.dll"
  2⤵
  PID:4888
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\sppuinotify.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4292
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\sppuinotify.dll /grant *S-1-1-0:F"
  2⤵
  PID:4964
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\SysWOW64\sppuinotify.dll /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4356
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\SysWOW64\sppuinotify.dll sppuinotify.dll.ksbuq"
  2⤵
  PID:3584
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\sppwmi.dll"
  2⤵
  PID:1996
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\sppwmi.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3488
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\sppwmi.dll /grant *S-1-1-0:F"
  2⤵
  PID:540
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\SysWOW64\sppwmi.dll /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3740
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\SysWOW64\sppwmi.dll sppwmi.dll.ksbuq"
  2⤵
  PID:2756
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\systemcpl.dll"
  2⤵
  PID:2664
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\systemcpl.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1812
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\systemcpl.dll /grant *S-1-1-0:F"
  2⤵
  PID:3964
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\SysWOW64\systemcpl.dll /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3324
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\SysWOW64\systemcpl.dll systemcpl.dll.ksbuq"
  2⤵
  PID:3580
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\winlogon.exe"
  2⤵
  PID:4348
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\winlogon.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2944
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\winlogon.exe /grant *S-1-1-0:F"
  2⤵
  PID:1028
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\SysWOW64\winlogon.exe /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4224
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\SysWOW64\winlogon.exe winlogon.exe.ksbuq"
  2⤵
  PID:4480
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\winver.exe"
  2⤵
  PID:4896
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\winver.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1236
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\winver.exe /grant *S-1-1-0:F"
  2⤵
  PID:824
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\SysWOW64\winver.exe /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4144
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\SysWOW64\winver.exe winver.exe.ksbuq"
  2⤵
  PID:5044
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\slui.exe"
  2⤵
  PID:4312
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\slui.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3936
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\slui.exe /grant *S-1-1-0:F"
  2⤵
  PID:4772
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\SysWOW64\slui.exe /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2308
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\SysWOW64\slui.exe slui.exe.ksbuq"
  2⤵
  PID:4672
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\ntkrnlpa.exe"
  2⤵
  PID:1408
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\ntkrnlpa.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1972
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\ntkrnlpa.exe /grant *S-1-1-0:F"
  2⤵
  PID:2280
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\SysWOW64\ntkrnlpa.exe /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4788
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\SysWOW64\ntkrnlpa.exe ntkrnlpa.exe.ksbuq"
  2⤵
  PID:2268
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\ntoskrnl.exe"
  2⤵
  PID:4776
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\ntoskrnl.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:764
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\ntoskrnl.exe /grant *S-1-1-0:F"
  2⤵
  PID:368
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\SysWOW64\ntoskrnl.exe /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4632
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\SysWOW64\ntoskrnl.exe ntoskrnl.exe.ksbuq"
  2⤵
  PID:3756
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\SysWOW64\Wat\*"
  2⤵
  PID:1796
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\SysWOW64\Wat\*
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2316
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\SysWOW64\Wat\* /grant *S-1-1-0:F"
  2⤵
  PID:3736
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\SysWOW64\Wat\* /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1844
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\system32\slmgr.vbs"
  2⤵
  PID:3840
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\slmgr.vbs
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3300
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\system32\slmgr.vbs /grant *S-1-1-0:F"
  2⤵
  PID:3468
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\system32\slmgr.vbs /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4920
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\system32\slmgr.vbs slmgr.vbs.ksbuq"
  2⤵
  PID:2648
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\system32\user32.dll"
  2⤵
  PID:4832
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\user32.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2864
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\system32\user32.dll /grant *S-1-1-0:F"
  2⤵
  PID:3376
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\system32\user32.dll /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5072
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\system32\user32.dll user32.dll.ksbuq"
  2⤵
  PID:1096
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\system32\slwga.dll"
  2⤵
  PID:2132
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\slwga.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4168
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\system32\slwga.dll /grant *S-1-1-0:F"
  2⤵
  PID:2184
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\system32\slwga.dll /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3304
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\system32\slwga.dll slwga.dll.ksbuq"
  2⤵
  PID:4252
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\system32\sppcomapi.dll"
  2⤵
  PID:2800
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\sppcomapi.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3608
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\system32\sppcomapi.dll /grant *S-1-1-0:F"
  2⤵
  PID:2512
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\system32\sppcomapi.dll /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2700
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\system32\sppcomapi.dll sppcomapi.dll.ksbuq"
  2⤵
  PID:3852
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\system32\sppcommdlg.dll"
  2⤵
  PID:2656
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\sppcommdlg.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4668
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\system32\sppcommdlg.dll /grant *S-1-1-0:F"
  2⤵
  PID:740
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\system32\sppcommdlg.dll /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3188
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\system32\sppcommdlg.dll sppcommdlg.dll.ksbuq"
  2⤵
  PID:404
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\system32\sppuinotify.dll"
  2⤵
  PID:3696
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\sppuinotify.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3116
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\system32\sppuinotify.dll /grant *S-1-1-0:F"
  2⤵
  PID:4288
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\system32\sppuinotify.dll /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3380
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\system32\sppuinotify.dll sppuinotify.dll.ksbuq"
  2⤵
  PID:4860
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\system32\sppwmi.dll"
  2⤵
  PID:4060
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\sppwmi.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4360
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\system32\sppwmi.dll /grant *S-1-1-0:F"
  2⤵
  PID:1452
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\system32\sppwmi.dll /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3800
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\system32\sppwmi.dll sppwmi.dll.ksbuq"
  2⤵
  PID:1400
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\system32\systemcpl.dll"
  2⤵
  PID:3740
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\systemcpl.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:892
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\system32\systemcpl.dll /grant *S-1-1-0:F"
  2⤵
  PID:3364
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\system32\systemcpl.dll /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2256
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\system32\systemcpl.dll systemcpl.dll.ksbuq"
  2⤵
  PID:2012
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\system32\winlogon.exe"
  2⤵
  PID:3324
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\winlogon.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:800
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\system32\winlogon.exe /grant *S-1-1-0:F"
  2⤵
  PID:3968
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\system32\winlogon.exe /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3900
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\system32\winlogon.exe winlogon.exe.ksbuq"
  2⤵
  PID:4812
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\system32\winver.exe"
  2⤵
  PID:4224
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\winver.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3880
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\system32\winver.exe /grant *S-1-1-0:F"
  2⤵
  PID:2240
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\system32\winver.exe /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4324
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\system32\winver.exe winver.exe.ksbuq"
  2⤵
  PID:824
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\system32\slui.exe"
  2⤵
  PID:3632
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\slui.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1788
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\system32\slui.exe /grant *S-1-1-0:F"
  2⤵
  PID:3936
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\system32\slui.exe /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1548
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\system32\slui.exe slui.exe.ksbuq"
  2⤵
  PID:4772
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\system32\ntkrnlpa.exe"
  2⤵
  PID:960
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\ntkrnlpa.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3496
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\system32\ntkrnlpa.exe /grant *S-1-1-0:F"
  2⤵
  PID:2148
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\system32\ntkrnlpa.exe /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3236
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\system32\ntkrnlpa.exe ntkrnlpa.exe.ksbuq"
  2⤵
  PID:4500
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\system32\ntoskrnl.exe"
  2⤵
  PID:4520
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\ntoskrnl.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4332
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\system32\ntoskrnl.exe /grant *S-1-1-0:F"
  2⤵
  PID:2976
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\system32\ntoskrnl.exe /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2024
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "ren %SystemRoot%\system32\ntoskrnl.exe ntoskrnl.exe.ksbuq"
  2⤵
  PID:4632
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "takeown /f %SystemRoot%\system32\Wat\*"
  2⤵
  PID:4740
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\system32\Wat\*
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:716
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\system32\Wat\* /grant *S-1-1-0:F"
  2⤵
  PID:2264
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\system32\Wat\* /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4388
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "rmdir /s /q %ALLUSERSPROFILE%\Microsoft\Windows\RAI 2>NUL>NUL"
  2⤵
  PID:1368
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "reg delete HKLM\SOFTWARE\HAL7600 /f 2>NUL>NUL"
  2⤵
  PID:2596
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SOFTWARE\HAL7600 /f
    3⤵
    - Modifies registry key
    PID:1600
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "schtasks.exe /delete /tn \Microsoft\Windows\RAI\RaiTask /f 2>NUL>NUL"
  2⤵
  PID:2880
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /delete /tn \Microsoft\Windows\RAI\RaiTask /f
    3⤵
    PID:736
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "icacls %SystemRoot%\servicing\TrustedInstaller.exe /grant *S-1-1-0:F"
  2⤵
  PID:2304
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\servicing\TrustedInstaller.exe /grant *S-1-1-0:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5024
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "bcdedit.exe -set testsigning off 2>NUL>NUL"
  2⤵
  PID:4368
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe -set testsigning off
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1004
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "sc config sppsvc start= delayed-auto 2>NUL>NUL"
  2⤵
  PID:804
- - C:\Windows\system32\sc.exe
    sc config sppsvc start= delayed-auto
    3⤵
    - Launches sc.exe
    PID:3440
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "sc config sppuinotify start= demand 2>NUL>NUL"
  2⤵
  PID:2236
- - C:\Windows\system32\sc.exe
    sc config sppuinotify start= demand
    3⤵
    - Launches sc.exe
    PID:2588
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "net start sppsvc 2>NUL>NUL"
  2⤵
  PID:2888
- - C:\Windows\system32\net.exe
    net start sppsvc
    3⤵
    PID:3304
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start sppsvc
      4⤵
      PID:4252
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "net start sppuinotify 2>NUL>NUL"
  2⤵
  PID:4828
- - C:\Windows\system32\net.exe
    net start sppuinotify
    3⤵
    PID:1532
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start sppuinotify
      4⤵
      PID:2312
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /A /C "NET START "Windows Modules Installer" 2>NUL>NUL"
  2⤵
  PID:920
- - C:\Windows\system32\net.exe
    NET START "Windows Modules Installer"
    3⤵
    PID:5008
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 START "Windows Modules Installer"
      4⤵
      PID:4532
- C:\Windows\System32\sfc.exe
  /scannow
  2⤵
  PID:3524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact