Analysis
-
max time kernel
194s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-de -
resource tags
arch:x64arch:x86image:win10v2004-20241007-delocale:de-deos:windows10-2004-x64systemwindows -
submitted
31-10-2024 22:05
Static task
static1
Errors
General
-
Target
DestroyPC.bat
-
Size
789B
-
MD5
20ac4390231d09f9a9068c203017b8df
-
SHA1
80d0108e7b47b6da0cb83c8b5b880258f4ab65df
-
SHA256
d1e298f4bf182646fa679f4145f4764d931a0140fc87ec2fb01d05e8f36adc33
-
SHA512
a2aa53aceb7e9d9c8ee711e9b7a96f44d0661fd70f701d9f420de95d886b9d203571da9860d300f4076747ac9420341f21f7b3ba6073080f0f2be743d80beb59
Malware Config
Signatures
-
Possible privilege escalation attempt 48 IoCs
pid Process 840 icacls.exe 2160 takeown.exe 1488 takeown.exe 2516 icacls.exe 2160 takeown.exe 3372 icacls.exe 3096 takeown.exe 1528 icacls.exe 948 icacls.exe 3992 takeown.exe 4492 icacls.exe 2816 takeown.exe 3628 icacls.exe 4788 icacls.exe 1648 icacls.exe 2428 takeown.exe 1232 icacls.exe 3764 takeown.exe 3920 icacls.exe 1636 icacls.exe 1748 takeown.exe 3024 icacls.exe 1540 takeown.exe 4516 takeown.exe 1340 takeown.exe 1368 icacls.exe 2220 takeown.exe 2720 takeown.exe 2476 takeown.exe 3208 takeown.exe 4360 icacls.exe 1344 takeown.exe 1068 takeown.exe 3964 icacls.exe 4512 takeown.exe 1852 icacls.exe 948 takeown.exe 3208 icacls.exe 1212 icacls.exe 1408 takeown.exe 4480 icacls.exe 2996 takeown.exe 1536 icacls.exe 1892 takeown.exe 2800 takeown.exe 968 icacls.exe 4644 icacls.exe 4184 icacls.exe -
Modifies file permissions 1 TTPs 48 IoCs
pid Process 1212 icacls.exe 3628 icacls.exe 968 icacls.exe 1340 takeown.exe 1408 takeown.exe 4480 icacls.exe 1068 takeown.exe 4788 icacls.exe 2996 takeown.exe 3024 icacls.exe 948 takeown.exe 1528 icacls.exe 1232 icacls.exe 1368 icacls.exe 1636 icacls.exe 2720 takeown.exe 1892 takeown.exe 4512 takeown.exe 2428 takeown.exe 3920 icacls.exe 2516 icacls.exe 3372 icacls.exe 4492 icacls.exe 1536 icacls.exe 2800 takeown.exe 1852 icacls.exe 2816 takeown.exe 2476 takeown.exe 4644 icacls.exe 2220 takeown.exe 1540 takeown.exe 3764 takeown.exe 4184 icacls.exe 3992 takeown.exe 3096 takeown.exe 840 icacls.exe 3208 takeown.exe 1648 icacls.exe 3208 icacls.exe 2160 takeown.exe 1344 takeown.exe 1488 takeown.exe 2160 takeown.exe 4516 takeown.exe 3964 icacls.exe 4360 icacls.exe 948 icacls.exe 1748 takeown.exe -
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: takeown.exe File opened (read-only) \??\Z: takeown.exe File opened (read-only) \??\Z: takeown.exe File opened (read-only) \??\Z: takeown.exe File opened (read-only) \??\Z: takeown.exe File opened (read-only) \??\Z: takeown.exe File opened (read-only) \??\Z: takeown.exe File opened (read-only) \??\Z: takeown.exe File opened (read-only) \??\Z: takeown.exe File opened (read-only) \??\Z: takeown.exe File opened (read-only) \??\Z: takeown.exe File opened (read-only) \??\Z: takeown.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\INF\display.PNF chrome.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Opens file in notepad (likely ransom note) 3 IoCs
pid Process 4112 NOTEPAD.EXE 1648 NOTEPAD.EXE 3096 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1772 chrome.exe 1772 chrome.exe 5012 chrome.exe 5012 chrome.exe 5012 chrome.exe 5012 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2160 takeown.exe Token: SeTakeOwnershipPrivilege 2220 takeown.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe Token: SeShutdownPrivilege 1772 chrome.exe Token: SeCreatePagefilePrivilege 1772 chrome.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
pid Process 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 4112 NOTEPAD.EXE -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe 1772 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1576 wrote to memory of 2816 1576 cmd.exe 93 PID 1576 wrote to memory of 2816 1576 cmd.exe 93 PID 1576 wrote to memory of 484 1576 cmd.exe 94 PID 1576 wrote to memory of 484 1576 cmd.exe 94 PID 1576 wrote to memory of 2160 1576 cmd.exe 102 PID 1576 wrote to memory of 2160 1576 cmd.exe 102 PID 1576 wrote to memory of 3372 1576 cmd.exe 103 PID 1576 wrote to memory of 3372 1576 cmd.exe 103 PID 1576 wrote to memory of 2220 1576 cmd.exe 104 PID 1576 wrote to memory of 2220 1576 cmd.exe 104 PID 1576 wrote to memory of 1636 1576 cmd.exe 105 PID 1576 wrote to memory of 1636 1576 cmd.exe 105 PID 1576 wrote to memory of 2996 1576 cmd.exe 106 PID 1576 wrote to memory of 2996 1576 cmd.exe 106 PID 1576 wrote to memory of 4788 1576 cmd.exe 107 PID 1576 wrote to memory of 4788 1576 cmd.exe 107 PID 1576 wrote to memory of 1748 1576 cmd.exe 108 PID 1576 wrote to memory of 1748 1576 cmd.exe 108 PID 1576 wrote to memory of 3964 1576 cmd.exe 109 PID 1576 wrote to memory of 3964 1576 cmd.exe 109 PID 1576 wrote to memory of 2720 1576 cmd.exe 110 PID 1576 wrote to memory of 2720 1576 cmd.exe 110 PID 1576 wrote to memory of 4492 1576 cmd.exe 111 PID 1576 wrote to memory of 4492 1576 cmd.exe 111 PID 1576 wrote to memory of 1892 1576 cmd.exe 112 PID 1576 wrote to memory of 1892 1576 cmd.exe 112 PID 1576 wrote to memory of 1536 1576 cmd.exe 113 PID 1576 wrote to memory of 1536 1576 cmd.exe 113 PID 1772 wrote to memory of 2936 1772 chrome.exe 140 PID 1772 wrote to memory of 2936 1772 chrome.exe 140 PID 1772 wrote to memory of 664 1772 chrome.exe 141 PID 1772 wrote to memory of 664 1772 chrome.exe 141 PID 1772 wrote to memory of 664 1772 chrome.exe 141 PID 1772 wrote to memory of 664 1772 chrome.exe 141 PID 1772 wrote to memory of 664 1772 chrome.exe 141 PID 1772 wrote to memory of 664 1772 chrome.exe 141 PID 1772 wrote to memory of 664 1772 chrome.exe 141 PID 1772 wrote to memory of 664 1772 chrome.exe 141 PID 1772 wrote to memory of 664 1772 chrome.exe 141 PID 1772 wrote to memory of 664 1772 chrome.exe 141 PID 1772 wrote to memory of 664 1772 chrome.exe 141 PID 1772 wrote to memory of 664 1772 chrome.exe 141 PID 1772 wrote to memory of 664 1772 chrome.exe 141 PID 1772 wrote to memory of 664 1772 chrome.exe 141 PID 1772 wrote to memory of 664 1772 chrome.exe 141 PID 1772 wrote to memory of 664 1772 chrome.exe 141 PID 1772 wrote to memory of 664 1772 chrome.exe 141 PID 1772 wrote to memory of 664 1772 chrome.exe 141 PID 1772 wrote to memory of 664 1772 chrome.exe 141 PID 1772 wrote to memory of 664 1772 chrome.exe 141 PID 1772 wrote to memory of 664 1772 chrome.exe 141 PID 1772 wrote to memory of 664 1772 chrome.exe 141 PID 1772 wrote to memory of 664 1772 chrome.exe 141 PID 1772 wrote to memory of 664 1772 chrome.exe 141 PID 1772 wrote to memory of 664 1772 chrome.exe 141 PID 1772 wrote to memory of 664 1772 chrome.exe 141 PID 1772 wrote to memory of 664 1772 chrome.exe 141 PID 1772 wrote to memory of 664 1772 chrome.exe 141 PID 1772 wrote to memory of 664 1772 chrome.exe 141 PID 1772 wrote to memory of 664 1772 chrome.exe 141 PID 1772 wrote to memory of 4596 1772 chrome.exe 142 PID 1772 wrote to memory of 4596 1772 chrome.exe 142 PID 1772 wrote to memory of 2968 1772 chrome.exe 143 PID 1772 wrote to memory of 2968 1772 chrome.exe 143
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\DestroyPC.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ( echo select disk 0 & echo list partition & echo select partition 1 & echo assign letter=Z )"2⤵PID:2816
-
-
C:\Windows\system32\diskpart.exediskpart2⤵PID:484
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\LogonUI.exe /a2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2160
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\LogonUI.exe /grant Admin:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3372
-
-
C:\Windows\System32\takeown.exetakeown /F "Z:\bootmgr" /A2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
-
C:\Windows\System32\icacls.exeicacls "\bootmgr" /grant Admin:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1636
-
-
C:\Windows\System32\takeown.exetakeown /F "Z:\BOOTNXT" /A2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Enumerates connected drives
PID:2996
-
-
C:\Windows\System32\icacls.exeicacls "\BOOTNXT" /grant Admin:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4788
-
-
C:\Windows\System32\takeown.exetakeown /F "Z:\BOOTSECT.BAK" /A2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Enumerates connected drives
PID:1748
-
-
C:\Windows\System32\icacls.exeicacls "\BOOTSECT.BAK" /grant Admin:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3964
-
-
C:\Windows\System32\takeown.exetakeown /F "Z:\Boot" /A /R /D Y2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2720
-
-
C:\Windows\System32\icacls.exeicacls "Z:\Boot" /grant Admin:F /T2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4492
-
-
C:\Windows\System32\takeown.exetakeown /F "Z:\System Volume Information" /A /R /D Y2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1892
-
-
C:\Windows\System32\icacls.exeicacls "Z:\System Volume Information" /grant Admin:F /T2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1536
-
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:332
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:880
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1244
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵PID:3564
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff99bacc40,0x7fff99bacc4c,0x7fff99bacc582⤵PID:2936
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1816,i,8125945244198132938,1046376200837492638,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1808 /prefetch:22⤵PID:664
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1960,i,8125945244198132938,1046376200837492638,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2092 /prefetch:32⤵PID:4596
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,8125945244198132938,1046376200837492638,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2320 /prefetch:82⤵PID:2968
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,8125945244198132938,1046376200837492638,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:12⤵PID:4016
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3272,i,8125945244198132938,1046376200837492638,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3244 /prefetch:12⤵PID:228
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4548,i,8125945244198132938,1046376200837492638,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4556 /prefetch:12⤵PID:3856
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3784,i,8125945244198132938,1046376200837492638,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3768 /prefetch:12⤵PID:4108
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4680,i,8125945244198132938,1046376200837492638,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4840 /prefetch:82⤵PID:2204
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4960,i,8125945244198132938,1046376200837492638,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4976 /prefetch:82⤵PID:4220
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4956,i,8125945244198132938,1046376200837492638,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4996 /prefetch:82⤵PID:524
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5104,i,8125945244198132938,1046376200837492638,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4884 /prefetch:82⤵PID:2516
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4004,i,8125945244198132938,1046376200837492638,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4364 /prefetch:82⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:5012
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:2452
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\DestroyPC.bat1⤵
- Opens file in notepad (likely ransom note)
PID:3096
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\DestroyPC.bat"1⤵PID:2500
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ( echo select disk 0 & echo list partition & echo select partition 1 & echo assign letter=Z )"2⤵PID:2428
-
-
C:\Windows\system32\diskpart.exediskpart2⤵PID:4324
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\LogonUI.exe /a2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4512
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\LogonUI.exe /grant Admin:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:840
-
-
C:\Windows\System32\takeown.exetakeown /F "Z:\bootmgr" /A2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Enumerates connected drives
PID:2800
-
-
C:\Windows\System32\icacls.exeicacls "\bootmgr" /grant Admin:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1852
-
-
C:\Windows\System32\takeown.exetakeown /F "Z:\BOOTNXT" /A2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Enumerates connected drives
PID:2816
-
-
C:\Windows\System32\icacls.exeicacls "\BOOTNXT" /grant Admin:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:968
-
-
C:\Windows\System32\takeown.exetakeown /F "Z:\BOOTSECT.BAK" /A2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Enumerates connected drives
PID:2476
-
-
C:\Windows\System32\icacls.exeicacls "\BOOTSECT.BAK" /grant Admin:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3024
-
-
C:\Windows\System32\takeown.exetakeown /F "Z:\Boot" /A /R /D Y2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3208
-
-
C:\Windows\System32\icacls.exeicacls "Z:\Boot" /grant Admin:F /T2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1648
-
-
C:\Windows\System32\takeown.exetakeown /F "Z:\System Volume Information" /A /R /D Y2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3096
-
-
C:\Windows\System32\icacls.exeicacls "Z:\System Volume Information" /grant Admin:F /T2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4644
-
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2252
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\DestroyPC.bat1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:4112
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\DestroyPC.bat"1⤵PID:3992
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ( echo select disk 0 & echo list partition & echo select partition 1 & echo assign letter=Z )"2⤵PID:724
-
-
C:\Windows\system32\diskpart.exediskpart2⤵PID:2464
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\LogonUI.exe /a2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:948
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\LogonUI.exe /grant Admin:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1528
-
-
C:\Windows\System32\takeown.exetakeown /F "Z:\bootmgr" /A2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Enumerates connected drives
PID:2428
-
-
C:\Windows\System32\icacls.exeicacls "\bootmgr" /grant Admin:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3208
-
-
C:\Windows\System32\takeown.exetakeown /F "Z:\BOOTNXT" /A2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Enumerates connected drives
PID:2160
-
-
C:\Windows\System32\icacls.exeicacls "\BOOTNXT" /grant Admin:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3628
-
-
C:\Windows\System32\takeown.exetakeown /F "Z:\BOOTSECT.BAK" /A2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Enumerates connected drives
PID:1540
-
-
C:\Windows\System32\icacls.exeicacls "\BOOTSECT.BAK" /grant Admin:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1212
-
-
C:\Windows\System32\takeown.exetakeown /F "Z:\Boot" /A /R /D Y2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4516
-
-
C:\Windows\System32\icacls.exeicacls "Z:\Boot" /grant Admin:F /T2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1232
-
-
C:\Windows\System32\takeown.exetakeown /F "Z:\System Volume Information" /A /R /D Y2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3764
-
-
C:\Windows\System32\icacls.exeicacls "Z:\System Volume Information" /grant Admin:F /T2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4360
-
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:4284
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\DestroyPC.bat1⤵
- Opens file in notepad (likely ransom note)
PID:1648
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\DestroyPC.bat"1⤵PID:3760
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ( echo select disk 0 & echo list partition & echo select partition 1 & echo assign letter=Z )"2⤵PID:1440
-
-
C:\Windows\system32\diskpart.exediskpart2⤵PID:3516
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\LogonUI.exe /a2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1340
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\LogonUI.exe /grant Admin:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4184
-
-
C:\Windows\System32\takeown.exetakeown /F "Z:\bootmgr" /A2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Enumerates connected drives
PID:1344
-
-
C:\Windows\System32\icacls.exeicacls "Z:\bootmgr" /grant Admin:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3920
-
-
C:\Windows\System32\takeown.exetakeown /F "Z:\BOOTNXT" /A2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Enumerates connected drives
PID:1488
-
-
C:\Windows\System32\icacls.exeicacls "Z:\BOOTNXT" /grant Admin:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:948
-
-
C:\Windows\System32\takeown.exetakeown /F "Z:\BOOTSECT.BAK" /A2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Enumerates connected drives
PID:1408
-
-
C:\Windows\System32\icacls.exeicacls "Z:\BOOTSECT.BAK" /grant Admin:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4480
-
-
C:\Windows\System32\takeown.exetakeown /F "Z:\Boot" /A /R /D Y2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1068
-
-
C:\Windows\System32\icacls.exeicacls "Z:\Boot" /grant Admin:F /T2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1368
-
-
C:\Windows\System32\takeown.exetakeown /F "Z:\System Volume Information" /A /R /D Y2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3992
-
-
C:\Windows\System32\icacls.exeicacls "Z:\System Volume Information" /grant Admin:F /T2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2516
-
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:4664
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
648B
MD56d6547a743d5768175fc3760a4a5d49b
SHA1e1bef707619082126188b7545d69331d51d24e98
SHA2569be1b58e80ae53bd99a76f7803739aae0c4168244c5fc7fea520197134bcb9a7
SHA512d78f42a796f889aaec9bdf230e419778d2466e8f995802ba6353e730891ad3a1b5cac71a0011a2e5b4fa97080603ece3aaaea5b7ab2ec81edd5f03f28d24a82f
-
Filesize
5KB
MD5b0a2da0059ed3ab15e9741379daec8b7
SHA173b22632ac606c4299de414cc3880147519e44dc
SHA25650c6a37c8b264ed63541307e63ec9b6631aada26852a9b167912d7c42927b0b4
SHA512202f65e7cd74db66a5f6ed10f25704f86209a972ef14d2aad8dd09ab5eded55febd1bba6ba98abaa00a143b841451fa2216d2e1db39d68d44f8b6792ce1a9203
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD55d0386c59be175c2d8f290421bb12b06
SHA1d469cb6bbab33f3bf4ca84c6e78364196c569bed
SHA256a434d228bde23819599514958fff03e5001ae174f9f0e4ff7a48bea4dc8627df
SHA512bc94c75d59ffa681942e18da148bd1dda887a6941479348e474397e55d2ee59c967e6ca452daf72010e52c157d5db2bade6552ad467b32d8a5f35d72b15c115a
-
Filesize
356B
MD56cf6bca59f2d12010f7fcf9437395977
SHA192798a86dc6078fc96653152aa2c2d87525b452f
SHA256f82c73088b4cde629bd84d8b5f3764f19ebb03db2b90070fd51fc7eb466d1422
SHA512b56467966eca6369bf485dd9aece268a4d5d12d001ebefce5d4803106ced8afb2df02e0a440f79f00329a4bd1829ca9de44e53c9c117b693dc1767d67e3a1116
-
Filesize
9KB
MD5ac857deb01556655e06c17496da0fafd
SHA107496c856e6167104025fc6e33788c328b507035
SHA25619eec7719f44503132a663b3f3dba4c3e9b9904c197a1452d985b182a39c3316
SHA51248f472d0dd2927c32f9fad15e1b7d6917b57a3f5b2bf05e117832d371fa8b7d57444d4ec75a2afe75d0599a21315a09d81170ac14145d376557cdc292c3cfec4
-
Filesize
9KB
MD547cc0131307fd9968838167bee4dcf3e
SHA1b77699755dcf91114438a7599e15a07422bd8016
SHA2563b75f375c25f705a32283802a12859b1de74b42df7881a8e126d54337029e6ea
SHA512b0f8a91e3573870ce4dd44476fbc703a0522e87f671472f15bc182be8844d8c446b322cf5adf686d09b9ff17fbbe09f4c9fc4490707a0432727965d9226e8236
-
Filesize
9KB
MD5d08b722c37f7518b86dcbd07b7782930
SHA17b204bfec33a08414e5fa9ce61c4af628b53d302
SHA256e5a59271edd9cf4393efacdf70cd7b40a2c0533219e044d951e1edc3947a143b
SHA5124e93fa614cd3bbf40d82b8154e6eb34b89b37ab415d2ebcecc404d80aa62bcd50e61590af15e8dafe6f64ab55fd36d863bfd19b2d9a748008c28b4684a9cd875
-
Filesize
9KB
MD5cbfceb2b42f4f30422f99fadacd7c8ae
SHA1fccafa95d6afa1ca5da69c512903d6822e17738e
SHA2565229b009b515c91802350b18bce5913fb7a2fa1644cb0a44e6849a3eb9167da1
SHA512adf26738bac7330133e2af031e20f61f59ec53f955f7bada46da25a5f7a426bffa37a28f583b4cc9651d1dad56dc716e669fbe9db8a0fd3ee6ecef7634dc867a
-
Filesize
9KB
MD5aebc12990aaf0d5994cc4f86edf7facd
SHA1699e478c3e75b0c5b6a41915732395b6d5d9cbaa
SHA256a512f49b91d59110c9825ef04b1863cad165d45d8bda9ed1a8b375380b63f6b5
SHA512362605946d166867048a23e2c68a31c83a5bbe78a68eefef69afe3ae133d7a1a9b57a46f0e63bfd7639ee5a9a7e7087244fbe342a28c0a54fc775231a69fbbee
-
Filesize
9KB
MD51b4d89a5a5189207f5a48fb4e083277d
SHA17be11c14f91a9c3a330213a57b4b31a44ccbddf5
SHA2564417d9c6c1b10206f609cd16aa25e1871004a07f9b78c7cbb0469633740eb87e
SHA51253f77f19c97e614001534869a1a2c0dff6ecdc8dca7fb0082889133337a6d564e07b10233e82e7276326cb055b81ae16b62f5d78853e1cf0d5b3371e02b4f0de
-
Filesize
9KB
MD5757bc552a7b78381e5b946bb6ba92914
SHA1f6e7df6000699924f88ea938f4c01294df07209c
SHA2560ed3d340ac2d3fa718ebc8bb90fd09c1780e7658b844655bd698cd9264118d8b
SHA512678906f9aa46c80fd9a773ecb54d4b7cdf18ee0594bbbd70f4ab724bb06877c505d40e2da129f31431ada6f4d8b6cfa8816fa85bd01d7831ec42911458eac1ef
-
Filesize
9KB
MD5c3bffeadf769d280e899a1a190f90c92
SHA1aeaa7b4b07b5c84b114c47c625245a2889e009a4
SHA2568bb1f3c11a4408c07f3cdb3b50edc78e8dd6324084fd772d4fbce8439b70172b
SHA512d3d2543e455c250e391545423edfcd43f7f4c3f10b628dddcff70cafb1f54f8c5751a71ac3340abe1752ed89e686210746648f9fa70f9eab8dbbfce716f42ca6
-
Filesize
9KB
MD53d5f0f1744fd5d9a86e7ff4c5391fd24
SHA1e760c3da9129d687ae01e0104bf65a15e9474310
SHA25681800d8886e454e56f49de18d91ff73c27f252591e060647293dc41e78c32d73
SHA512a666a27ded28558b57d1aa3c220f508f14754ab3ba89c0b52973c329acc563b41f3faabed7fbe2f26e79160ec60ebe534c0da0cb0e0efba8934507a0a5084e37
-
Filesize
116KB
MD57f8a4fcf1c7ddab372c52f68de2da31f
SHA1b28de075e9546b36df6da16421aca0bde94aa663
SHA25605605b28603c912fc9c6f7b7e69be46715f7f7a2364f77673c0a9cf5420ea940
SHA5121147f8f0b7a882eca354407cd09060081d2100e6ad50a5b821c5ed345ccefcb7bf29f37887a29bcd78dff406a6f15c06340c44755fa152039f3e0f0138a8e27c
-
Filesize
116KB
MD517a75beda4a550f8361e0b568108ee14
SHA1af5896b054074af983b3a7c4f3d451c8d86a7b94
SHA2563cbdc40b1d71b1e2b36051c9d75670c301699e547f4862c32d28d33cc0a374fc
SHA512e38f5d25f038b17e15151d77564ea724a984326d5e39156cc9d2a5bd99ae71d6d120a8a9dbd9c01850004d8b161a0b93055f2053841ddab2239298cbce311dce
-
Filesize
798B
MD52682a6fe1ba3324e01fe2797dd0ba7c7
SHA189013b9225a547a33ca7e47a10ed09fe2dfd6956
SHA256c41396e0e6fc37022dfe3841c35ec70fbee6b8608d73c23d8116cd66f3eed09f
SHA512529170f8b494a6732ccc88ab43d68ca9118a0680d654e0a2c15218ccbd01a944e07510c9db14c34d1a1263e52ebe508374c07cb4a1280c76eae2b6dbb0b0c495
-
Filesize
783B
MD5a747c7608bd0cd2fd17082315c86471b
SHA1d761e438bd2f37079ea42ebb702b52b0d9781599
SHA2568a27202559e11d253cc055ecc8d04008451b1d5af05e63908890708095214991
SHA5127ef3afa901ec9fc8797db1b5b6f3dff3857c4df6ada600321aa766764384b8cd222cdc0963d65ecd704534f94892f606d50b984abc514afa1521fd4a21607dad