58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63

Analysis

max time kernel
172s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2022 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe
Size

64KB
MD5

0cff37058f2e0aaeb0d1234ba2fd1761
SHA1

3b0120363a5325839bc50703588a5b7dc094f419
SHA256

58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63
SHA512

3196307329bff89c3aa20a1e0443a4422164c08ab260488f27eee6c54646f57c39b088d4a245d0710df0a68ff2dfb3707a5798f410437c0ce0cbb3cb95c64df4
SSDEEP

768:pgWCiGePXS9l5yxB90WwKA4aln9xWBixQX2I9NhXL:pp8Ni6WwN4aR9EBie5zL

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exe

pid	process
2388	takeown.exe
2776	icacls.exe
4508	takeown.exe
1096	icacls.exe
432	icacls.exe
5052	icacls.exe
5064	icacls.exe
1260	icacls.exe
4088	icacls.exe
4660	icacls.exe
5024	takeown.exe
2772	takeown.exe
1704	takeown.exe
4104	takeown.exe
2768	icacls.exe
2276	takeown.exe
1592	icacls.exe
3016	takeown.exe
2068	takeown.exe
220	icacls.exe
2620	takeown.exe
3960	icacls.exe
4624	icacls.exe
812	icacls.exe
4996	takeown.exe
4176	icacls.exe
4864	takeown.exe
4196	takeown.exe
312	icacls.exe
3796	takeown.exe
1648	icacls.exe
1956	takeown.exe
2224	takeown.exe
3940	takeown.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exe

pid	process
2224	takeown.exe
3960	icacls.exe
2276	takeown.exe
1956	takeown.exe
4176	icacls.exe
3940	takeown.exe
1592	icacls.exe
5052	icacls.exe
2388	takeown.exe
1704	takeown.exe
4196	takeown.exe
4996	takeown.exe
4864	takeown.exe
2068	takeown.exe
3796	takeown.exe
4624	icacls.exe
4088	icacls.exe
2776	icacls.exe
4104	takeown.exe
2768	icacls.exe
1648	icacls.exe
3016	takeown.exe
5064	icacls.exe
1096	icacls.exe
1260	icacls.exe
812	icacls.exe
312	icacls.exe
432	icacls.exe
220	icacls.exe
2772	takeown.exe
4508	takeown.exe
4660	icacls.exe
2620	takeown.exe
5024	takeown.exe

Drops file in System32 directory 6 IoCs

Processes:

58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\wscript.exe	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe
File created	C:\Windows\SysWOW64\kpvkn.exe	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe
File opened for modification	C:\Windows\SysWOW64\kpvkn.exe	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4864	takeown.exe
Token: SeTakeOwnershipPrivilege	2388	takeown.exe
Token: SeTakeOwnershipPrivilege	3016	takeown.exe
Token: SeTakeOwnershipPrivilege	2068	takeown.exe
Token: SeTakeOwnershipPrivilege	2772	takeown.exe
Token: SeTakeOwnershipPrivilege	1704	takeown.exe
Token: SeTakeOwnershipPrivilege	4196	takeown.exe
Token: SeTakeOwnershipPrivilege	1956	takeown.exe
Token: SeTakeOwnershipPrivilege	4508	takeown.exe
Token: SeTakeOwnershipPrivilege	4104	takeown.exe
Token: SeTakeOwnershipPrivilege	4996	takeown.exe
Token: SeTakeOwnershipPrivilege	2224	takeown.exe
Token: SeTakeOwnershipPrivilege	3940	takeown.exe
Token: SeTakeOwnershipPrivilege	3796	takeown.exe
Token: SeTakeOwnershipPrivilege	2620	takeown.exe
Token: SeTakeOwnershipPrivilege	5024	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe

pid process

4032 58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe

pid	process
4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe

description	pid	process	target process
PID 4032 wrote to memory of 2276	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	takeown.exe
PID 4032 wrote to memory of 2276	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	takeown.exe
PID 4032 wrote to memory of 2276	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	takeown.exe
PID 4032 wrote to memory of 1592	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	icacls.exe
PID 4032 wrote to memory of 1592	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	icacls.exe
PID 4032 wrote to memory of 1592	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	icacls.exe
PID 4032 wrote to memory of 4864	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	takeown.exe
PID 4032 wrote to memory of 4864	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	takeown.exe
PID 4032 wrote to memory of 4864	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	takeown.exe
PID 4032 wrote to memory of 5052	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	icacls.exe
PID 4032 wrote to memory of 5052	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	icacls.exe
PID 4032 wrote to memory of 5052	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	icacls.exe
PID 4032 wrote to memory of 2388	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	takeown.exe
PID 4032 wrote to memory of 2388	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	takeown.exe
PID 4032 wrote to memory of 2388	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	takeown.exe
PID 4032 wrote to memory of 4624	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	icacls.exe
PID 4032 wrote to memory of 4624	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	icacls.exe
PID 4032 wrote to memory of 4624	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	icacls.exe
PID 4032 wrote to memory of 3016	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	takeown.exe
PID 4032 wrote to memory of 3016	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	takeown.exe
PID 4032 wrote to memory of 3016	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	takeown.exe
PID 4032 wrote to memory of 4088	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	icacls.exe
PID 4032 wrote to memory of 4088	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	icacls.exe
PID 4032 wrote to memory of 4088	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	icacls.exe
PID 4032 wrote to memory of 2068	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	takeown.exe
PID 4032 wrote to memory of 2068	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	takeown.exe
PID 4032 wrote to memory of 2068	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	takeown.exe
PID 4032 wrote to memory of 220	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	icacls.exe
PID 4032 wrote to memory of 220	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	icacls.exe
PID 4032 wrote to memory of 220	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	icacls.exe
PID 4032 wrote to memory of 2772	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	takeown.exe
PID 4032 wrote to memory of 2772	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	takeown.exe
PID 4032 wrote to memory of 2772	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	takeown.exe
PID 4032 wrote to memory of 2776	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	icacls.exe
PID 4032 wrote to memory of 2776	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	icacls.exe
PID 4032 wrote to memory of 2776	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	icacls.exe
PID 4032 wrote to memory of 1704	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	takeown.exe
PID 4032 wrote to memory of 1704	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	takeown.exe
PID 4032 wrote to memory of 1704	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	takeown.exe
PID 4032 wrote to memory of 5064	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	icacls.exe
PID 4032 wrote to memory of 5064	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	icacls.exe
PID 4032 wrote to memory of 5064	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	icacls.exe
PID 4032 wrote to memory of 4196	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	takeown.exe
PID 4032 wrote to memory of 4196	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	takeown.exe
PID 4032 wrote to memory of 4196	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	takeown.exe
PID 4032 wrote to memory of 1260	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	icacls.exe
PID 4032 wrote to memory of 1260	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	icacls.exe
PID 4032 wrote to memory of 1260	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	icacls.exe
PID 4032 wrote to memory of 1956	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	takeown.exe
PID 4032 wrote to memory of 1956	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	takeown.exe
PID 4032 wrote to memory of 1956	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	takeown.exe
PID 4032 wrote to memory of 812	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	icacls.exe
PID 4032 wrote to memory of 812	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	icacls.exe
PID 4032 wrote to memory of 812	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	icacls.exe
PID 4032 wrote to memory of 4508	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	takeown.exe
PID 4032 wrote to memory of 4508	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	takeown.exe
PID 4032 wrote to memory of 4508	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	takeown.exe
PID 4032 wrote to memory of 4660	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	icacls.exe
PID 4032 wrote to memory of 4660	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	icacls.exe
PID 4032 wrote to memory of 4660	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	icacls.exe
PID 4032 wrote to memory of 4104	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	takeown.exe
PID 4032 wrote to memory of 4104	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	takeown.exe
PID 4032 wrote to memory of 4104	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	takeown.exe
PID 4032 wrote to memory of 1096	4032	58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe
"C:\Users\Admin\AppData\Local\Temp\58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4032
- C:\Windows\SysWOW64\takeown.exe
  C:\Windows\system32\takeown.exe /f "C:\Windows\system32\kpvkn.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2276
- C:\Windows\SysWOW64\icacls.exe
  C:\Windows\system32\icacls.exe "C:\Windows\system32\kpvkn.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1592
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\cmd.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4864
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5052
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\cmd.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4624
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\ftp.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4088
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\ftp.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:220
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\wscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2776
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\wscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5064
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\cscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4196
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1260
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\cscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:812
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4508
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4660
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4104
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1096
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4996
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4176
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:312
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:3940
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:432
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:3796
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2768
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1648
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:5024
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\kpvkn.exe

Filesize
64KB

MD5
0cff37058f2e0aaeb0d1234ba2fd1761

SHA1
3b0120363a5325839bc50703588a5b7dc094f419

SHA256
58e9741c7919f4742950fabe825851bb90b720a960e2865daf5466039150cb63

SHA512
3196307329bff89c3aa20a1e0443a4422164c08ab260488f27eee6c54646f57c39b088d4a245d0710df0a68ff2dfb3707a5798f410437c0ce0cbb3cb95c64df4

Download Submit
memory/220-144-0x0000000000000000-mapping.dmp

Download
memory/312-160-0x0000000000000000-mapping.dmp

Download
memory/432-162-0x0000000000000000-mapping.dmp

Download
memory/812-152-0x0000000000000000-mapping.dmp

Download
memory/1096-156-0x0000000000000000-mapping.dmp

Download
memory/1260-150-0x0000000000000000-mapping.dmp

Download
memory/1592-136-0x0000000000000000-mapping.dmp

Download
memory/1648-166-0x0000000000000000-mapping.dmp

Download
memory/1704-147-0x0000000000000000-mapping.dmp

Download
memory/1956-151-0x0000000000000000-mapping.dmp

Download
memory/2068-143-0x0000000000000000-mapping.dmp

Download
memory/2224-159-0x0000000000000000-mapping.dmp

Download
memory/2276-134-0x0000000000000000-mapping.dmp

Download
memory/2388-139-0x0000000000000000-mapping.dmp

Download
memory/2620-165-0x0000000000000000-mapping.dmp

Download
memory/2768-164-0x0000000000000000-mapping.dmp

Download
memory/2772-145-0x0000000000000000-mapping.dmp

Download
memory/2776-146-0x0000000000000000-mapping.dmp

Download
memory/3016-141-0x0000000000000000-mapping.dmp

Download
memory/3796-163-0x0000000000000000-mapping.dmp

Download
memory/3940-161-0x0000000000000000-mapping.dmp

Download
memory/3960-168-0x0000000000000000-mapping.dmp

Download
memory/4088-142-0x0000000000000000-mapping.dmp

Download
memory/4104-155-0x0000000000000000-mapping.dmp

Download
memory/4176-158-0x0000000000000000-mapping.dmp

Download
memory/4196-149-0x0000000000000000-mapping.dmp

Download
memory/4508-153-0x0000000000000000-mapping.dmp

Download
memory/4624-140-0x0000000000000000-mapping.dmp

Download
memory/4660-154-0x0000000000000000-mapping.dmp

Download
memory/4864-137-0x0000000000000000-mapping.dmp

Download
memory/4996-157-0x0000000000000000-mapping.dmp

Download
memory/5024-167-0x0000000000000000-mapping.dmp

Download
memory/5052-138-0x0000000000000000-mapping.dmp

Download
memory/5064-148-0x0000000000000000-mapping.dmp

Download