Analysis
-
max time kernel
137s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 13:39
Static task
static1
Behavioral task
behavioral1
Sample
bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe
Resource
win7-20220812-en
General
-
Target
bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe
-
Size
72KB
-
MD5
607ff124d59d031ac081c8210f941826
-
SHA1
4d557a6584e6500b337a52ea45e3e7114c50e0cd
-
SHA256
bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1
-
SHA512
de7078e6f0afb9237944024cb840d98b0071b33c449a76586fde80a14e1b12e8a0776bf1019313de35020abc7025bd4c4ee341ee7dde1250ed87a1f28cbe27aa
-
SSDEEP
1536:eK086JErWvey9wQuQtHcTBRbCJs2E64KtL6:e1JErWm2wQnVJfEMZ6
Malware Config
Signatures
-
Possible privilege escalation attempt 34 IoCs
Processes:
icacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exepid process 3196 icacls.exe 2888 icacls.exe 2072 icacls.exe 4660 takeown.exe 3624 takeown.exe 2140 icacls.exe 2428 takeown.exe 3000 takeown.exe 1748 icacls.exe 3996 takeown.exe 4564 icacls.exe 2792 icacls.exe 3160 takeown.exe 4548 icacls.exe 2592 takeown.exe 3168 icacls.exe 2236 takeown.exe 3132 icacls.exe 4452 takeown.exe 4236 icacls.exe 3872 takeown.exe 1092 takeown.exe 3044 icacls.exe 4996 takeown.exe 4320 icacls.exe 1476 takeown.exe 4968 icacls.exe 4904 takeown.exe 2168 icacls.exe 3424 takeown.exe 176 icacls.exe 2576 takeown.exe 4448 icacls.exe 4444 takeown.exe -
Modifies file permissions 1 TTPs 34 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exepid process 4904 takeown.exe 1748 icacls.exe 4996 takeown.exe 4968 icacls.exe 4448 icacls.exe 4444 takeown.exe 4564 icacls.exe 2168 icacls.exe 3196 icacls.exe 2140 icacls.exe 2236 takeown.exe 4320 icacls.exe 4452 takeown.exe 2592 takeown.exe 2576 takeown.exe 4236 icacls.exe 3424 takeown.exe 3872 takeown.exe 4660 takeown.exe 3000 takeown.exe 3132 icacls.exe 2792 icacls.exe 4548 icacls.exe 1092 takeown.exe 3168 icacls.exe 3996 takeown.exe 176 icacls.exe 3624 takeown.exe 1476 takeown.exe 2428 takeown.exe 3160 takeown.exe 2888 icacls.exe 3044 icacls.exe 2072 icacls.exe -
Drops file in System32 directory 6 IoCs
Processes:
bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exedescription ioc process File created C:\Windows\SysWOW64\gwkoi.exe bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe File opened for modification C:\Windows\SysWOW64\gwkoi.exe bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe File opened for modification C:\Windows\SysWOW64\cmd.exe bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe File opened for modification C:\Windows\SysWOW64\ftp.exe bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe File opened for modification C:\Windows\SysWOW64\wscript.exe bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe File opened for modification C:\Windows\SysWOW64\cscript.exe bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 3424 takeown.exe Token: SeTakeOwnershipPrivilege 2592 takeown.exe Token: SeTakeOwnershipPrivilege 1092 takeown.exe Token: SeTakeOwnershipPrivilege 3624 takeown.exe Token: SeTakeOwnershipPrivilege 3996 takeown.exe Token: SeTakeOwnershipPrivilege 2236 takeown.exe Token: SeTakeOwnershipPrivilege 4996 takeown.exe Token: SeTakeOwnershipPrivilege 2576 takeown.exe Token: SeTakeOwnershipPrivilege 1476 takeown.exe Token: SeTakeOwnershipPrivilege 2428 takeown.exe Token: SeTakeOwnershipPrivilege 4444 takeown.exe Token: SeTakeOwnershipPrivilege 4452 takeown.exe Token: SeTakeOwnershipPrivilege 3872 takeown.exe Token: SeTakeOwnershipPrivilege 4904 takeown.exe Token: SeTakeOwnershipPrivilege 4660 takeown.exe Token: SeTakeOwnershipPrivilege 3000 takeown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exepid process 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exedescription pid process target process PID 980 wrote to memory of 3160 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe takeown.exe PID 980 wrote to memory of 3160 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe takeown.exe PID 980 wrote to memory of 3160 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe takeown.exe PID 980 wrote to memory of 4548 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe icacls.exe PID 980 wrote to memory of 4548 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe icacls.exe PID 980 wrote to memory of 4548 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe icacls.exe PID 980 wrote to memory of 3424 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe takeown.exe PID 980 wrote to memory of 3424 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe takeown.exe PID 980 wrote to memory of 3424 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe takeown.exe PID 980 wrote to memory of 3196 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe icacls.exe PID 980 wrote to memory of 3196 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe icacls.exe PID 980 wrote to memory of 3196 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe icacls.exe PID 980 wrote to memory of 2592 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe takeown.exe PID 980 wrote to memory of 2592 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe takeown.exe PID 980 wrote to memory of 2592 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe takeown.exe PID 980 wrote to memory of 1748 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe icacls.exe PID 980 wrote to memory of 1748 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe icacls.exe PID 980 wrote to memory of 1748 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe icacls.exe PID 980 wrote to memory of 1092 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe takeown.exe PID 980 wrote to memory of 1092 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe takeown.exe PID 980 wrote to memory of 1092 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe takeown.exe PID 980 wrote to memory of 2888 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe icacls.exe PID 980 wrote to memory of 2888 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe icacls.exe PID 980 wrote to memory of 2888 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe icacls.exe PID 980 wrote to memory of 3624 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe takeown.exe PID 980 wrote to memory of 3624 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe takeown.exe PID 980 wrote to memory of 3624 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe takeown.exe PID 980 wrote to memory of 3168 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe icacls.exe PID 980 wrote to memory of 3168 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe icacls.exe PID 980 wrote to memory of 3168 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe icacls.exe PID 980 wrote to memory of 3996 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe takeown.exe PID 980 wrote to memory of 3996 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe takeown.exe PID 980 wrote to memory of 3996 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe takeown.exe PID 980 wrote to memory of 2140 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe icacls.exe PID 980 wrote to memory of 2140 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe icacls.exe PID 980 wrote to memory of 2140 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe icacls.exe PID 980 wrote to memory of 2236 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe takeown.exe PID 980 wrote to memory of 2236 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe takeown.exe PID 980 wrote to memory of 2236 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe takeown.exe PID 980 wrote to memory of 3044 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe icacls.exe PID 980 wrote to memory of 3044 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe icacls.exe PID 980 wrote to memory of 3044 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe icacls.exe PID 980 wrote to memory of 4996 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe takeown.exe PID 980 wrote to memory of 4996 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe takeown.exe PID 980 wrote to memory of 4996 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe takeown.exe PID 980 wrote to memory of 4320 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe icacls.exe PID 980 wrote to memory of 4320 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe icacls.exe PID 980 wrote to memory of 4320 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe icacls.exe PID 980 wrote to memory of 2576 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe takeown.exe PID 980 wrote to memory of 2576 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe takeown.exe PID 980 wrote to memory of 2576 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe takeown.exe PID 980 wrote to memory of 176 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe icacls.exe PID 980 wrote to memory of 176 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe icacls.exe PID 980 wrote to memory of 176 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe icacls.exe PID 980 wrote to memory of 1476 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe takeown.exe PID 980 wrote to memory of 1476 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe takeown.exe PID 980 wrote to memory of 1476 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe takeown.exe PID 980 wrote to memory of 4968 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe icacls.exe PID 980 wrote to memory of 4968 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe icacls.exe PID 980 wrote to memory of 4968 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe icacls.exe PID 980 wrote to memory of 2428 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe takeown.exe PID 980 wrote to memory of 2428 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe takeown.exe PID 980 wrote to memory of 2428 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe takeown.exe PID 980 wrote to memory of 4448 980 bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe"C:\Users\Admin\AppData\Local\Temp\bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "C:\Windows\system32\gwkoi.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\system32\gwkoi.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\gwkoi.exeFilesize
72KB
MD5607ff124d59d031ac081c8210f941826
SHA14d557a6584e6500b337a52ea45e3e7114c50e0cd
SHA256bf487f93a9d391ad74336cae84b32b74ed83ea257546e3bf93059154a646b1c1
SHA512de7078e6f0afb9237944024cb840d98b0071b33c449a76586fde80a14e1b12e8a0776bf1019313de35020abc7025bd4c4ee341ee7dde1250ed87a1f28cbe27aa
-
memory/176-152-0x0000000000000000-mapping.dmp
-
memory/1092-141-0x0000000000000000-mapping.dmp
-
memory/1476-153-0x0000000000000000-mapping.dmp
-
memory/1748-140-0x0000000000000000-mapping.dmp
-
memory/2072-164-0x0000000000000000-mapping.dmp
-
memory/2140-146-0x0000000000000000-mapping.dmp
-
memory/2168-166-0x0000000000000000-mapping.dmp
-
memory/2236-147-0x0000000000000000-mapping.dmp
-
memory/2428-155-0x0000000000000000-mapping.dmp
-
memory/2576-151-0x0000000000000000-mapping.dmp
-
memory/2592-139-0x0000000000000000-mapping.dmp
-
memory/2792-168-0x0000000000000000-mapping.dmp
-
memory/2888-142-0x0000000000000000-mapping.dmp
-
memory/3000-167-0x0000000000000000-mapping.dmp
-
memory/3044-148-0x0000000000000000-mapping.dmp
-
memory/3132-158-0x0000000000000000-mapping.dmp
-
memory/3160-134-0x0000000000000000-mapping.dmp
-
memory/3168-144-0x0000000000000000-mapping.dmp
-
memory/3196-138-0x0000000000000000-mapping.dmp
-
memory/3424-137-0x0000000000000000-mapping.dmp
-
memory/3624-143-0x0000000000000000-mapping.dmp
-
memory/3872-161-0x0000000000000000-mapping.dmp
-
memory/3996-145-0x0000000000000000-mapping.dmp
-
memory/4236-160-0x0000000000000000-mapping.dmp
-
memory/4320-150-0x0000000000000000-mapping.dmp
-
memory/4444-157-0x0000000000000000-mapping.dmp
-
memory/4448-156-0x0000000000000000-mapping.dmp
-
memory/4452-159-0x0000000000000000-mapping.dmp
-
memory/4548-135-0x0000000000000000-mapping.dmp
-
memory/4564-162-0x0000000000000000-mapping.dmp
-
memory/4660-165-0x0000000000000000-mapping.dmp
-
memory/4904-163-0x0000000000000000-mapping.dmp
-
memory/4968-154-0x0000000000000000-mapping.dmp
-
memory/4996-149-0x0000000000000000-mapping.dmp