Analysis
-
max time kernel
137s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
08-11-2022 08:41
Static task
static1
Behavioral task
behavioral1
Sample
cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe
Resource
win7-20220901-en
General
-
Target
cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe
-
Size
68KB
-
MD5
01d2a08c2976f6f7f3a6579d1d64aa26
-
SHA1
0f4fae2be30446e39ce0e14a5763dd7c41ff4b0f
-
SHA256
cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804
-
SHA512
33d92ef8bd3a210ab47fe2fee961456779ce32aca0777c7a165fa1dbc669e8e7352ad6f4890a0193dc95ff59f9417c9ab54e160ff7872c622410300a03be5804
-
SSDEEP
768:HTTv3ANWbKrlPoQTR2I7Zsn3aRuDDHm0PwwljxXoyoi4/BSx1vjobw8Q8MEe:HHnmzL23SuTnljmyoiy1Q8Je
Malware Config
Signatures
-
Possible privilege escalation attempt 34 IoCs
Processes:
takeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exepid process 1192 takeown.exe 1052 icacls.exe 5044 icacls.exe 4416 takeown.exe 4916 icacls.exe 2076 takeown.exe 4044 icacls.exe 2852 takeown.exe 1776 icacls.exe 2688 icacls.exe 228 icacls.exe 4404 takeown.exe 4376 takeown.exe 2812 icacls.exe 3652 takeown.exe 1708 takeown.exe 3376 icacls.exe 1148 icacls.exe 2864 takeown.exe 4436 takeown.exe 2300 icacls.exe 3952 icacls.exe 4372 takeown.exe 2848 takeown.exe 3460 icacls.exe 1208 icacls.exe 1992 icacls.exe 2844 takeown.exe 1560 takeown.exe 4844 icacls.exe 4380 icacls.exe 2560 takeown.exe 3728 takeown.exe 1312 takeown.exe -
Modifies file permissions 1 TTPs 34 IoCs
Processes:
takeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 4416 takeown.exe 1992 icacls.exe 1148 icacls.exe 1192 takeown.exe 1708 takeown.exe 4404 takeown.exe 4376 takeown.exe 4044 icacls.exe 3376 icacls.exe 4372 takeown.exe 4380 icacls.exe 228 icacls.exe 4916 icacls.exe 2076 takeown.exe 3652 takeown.exe 1052 icacls.exe 1776 icacls.exe 4436 takeown.exe 5044 icacls.exe 2844 takeown.exe 3952 icacls.exe 2560 takeown.exe 3728 takeown.exe 2848 takeown.exe 2852 takeown.exe 2812 icacls.exe 2864 takeown.exe 2688 icacls.exe 1208 icacls.exe 3460 icacls.exe 1312 takeown.exe 2300 icacls.exe 1560 takeown.exe 4844 icacls.exe -
Drops file in System32 directory 6 IoCs
Processes:
cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exedescription ioc process File created C:\Windows\SysWOW64\akxk.exe cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe File opened for modification C:\Windows\SysWOW64\akxk.exe cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe File opened for modification C:\Windows\SysWOW64\cmd.exe cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe File opened for modification C:\Windows\SysWOW64\ftp.exe cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe File opened for modification C:\Windows\SysWOW64\wscript.exe cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe File opened for modification C:\Windows\SysWOW64\cscript.exe cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 2560 takeown.exe Token: SeTakeOwnershipPrivilege 1708 takeown.exe Token: SeTakeOwnershipPrivilege 4416 takeown.exe Token: SeTakeOwnershipPrivilege 3728 takeown.exe Token: SeTakeOwnershipPrivilege 4404 takeown.exe Token: SeTakeOwnershipPrivilege 2848 takeown.exe Token: SeTakeOwnershipPrivilege 2076 takeown.exe Token: SeTakeOwnershipPrivilege 3652 takeown.exe Token: SeTakeOwnershipPrivilege 4376 takeown.exe Token: SeTakeOwnershipPrivilege 1312 takeown.exe Token: SeTakeOwnershipPrivilege 2852 takeown.exe Token: SeTakeOwnershipPrivilege 2844 takeown.exe Token: SeTakeOwnershipPrivilege 4372 takeown.exe Token: SeTakeOwnershipPrivilege 1560 takeown.exe Token: SeTakeOwnershipPrivilege 2864 takeown.exe Token: SeTakeOwnershipPrivilege 4436 takeown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exepid process 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exedescription pid process target process PID 4272 wrote to memory of 1192 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe takeown.exe PID 4272 wrote to memory of 1192 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe takeown.exe PID 4272 wrote to memory of 1192 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe takeown.exe PID 4272 wrote to memory of 2688 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe icacls.exe PID 4272 wrote to memory of 2688 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe icacls.exe PID 4272 wrote to memory of 2688 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe icacls.exe PID 4272 wrote to memory of 2560 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe takeown.exe PID 4272 wrote to memory of 2560 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe takeown.exe PID 4272 wrote to memory of 2560 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe takeown.exe PID 4272 wrote to memory of 1052 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe icacls.exe PID 4272 wrote to memory of 1052 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe icacls.exe PID 4272 wrote to memory of 1052 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe icacls.exe PID 4272 wrote to memory of 1708 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe takeown.exe PID 4272 wrote to memory of 1708 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe takeown.exe PID 4272 wrote to memory of 1708 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe takeown.exe PID 4272 wrote to memory of 5044 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe icacls.exe PID 4272 wrote to memory of 5044 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe icacls.exe PID 4272 wrote to memory of 5044 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe icacls.exe PID 4272 wrote to memory of 4416 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe takeown.exe PID 4272 wrote to memory of 4416 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe takeown.exe PID 4272 wrote to memory of 4416 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe takeown.exe PID 4272 wrote to memory of 1208 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe icacls.exe PID 4272 wrote to memory of 1208 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe icacls.exe PID 4272 wrote to memory of 1208 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe icacls.exe PID 4272 wrote to memory of 3728 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe takeown.exe PID 4272 wrote to memory of 3728 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe takeown.exe PID 4272 wrote to memory of 3728 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe takeown.exe PID 4272 wrote to memory of 228 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe icacls.exe PID 4272 wrote to memory of 228 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe icacls.exe PID 4272 wrote to memory of 228 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe icacls.exe PID 4272 wrote to memory of 4404 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe takeown.exe PID 4272 wrote to memory of 4404 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe takeown.exe PID 4272 wrote to memory of 4404 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe takeown.exe PID 4272 wrote to memory of 4916 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe icacls.exe PID 4272 wrote to memory of 4916 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe icacls.exe PID 4272 wrote to memory of 4916 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe icacls.exe PID 4272 wrote to memory of 2848 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe takeown.exe PID 4272 wrote to memory of 2848 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe takeown.exe PID 4272 wrote to memory of 2848 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe takeown.exe PID 4272 wrote to memory of 2812 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe icacls.exe PID 4272 wrote to memory of 2812 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe icacls.exe PID 4272 wrote to memory of 2812 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe icacls.exe PID 4272 wrote to memory of 2076 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe takeown.exe PID 4272 wrote to memory of 2076 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe takeown.exe PID 4272 wrote to memory of 2076 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe takeown.exe PID 4272 wrote to memory of 3460 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe icacls.exe PID 4272 wrote to memory of 3460 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe icacls.exe PID 4272 wrote to memory of 3460 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe icacls.exe PID 4272 wrote to memory of 3652 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe takeown.exe PID 4272 wrote to memory of 3652 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe takeown.exe PID 4272 wrote to memory of 3652 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe takeown.exe PID 4272 wrote to memory of 1992 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe icacls.exe PID 4272 wrote to memory of 1992 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe icacls.exe PID 4272 wrote to memory of 1992 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe icacls.exe PID 4272 wrote to memory of 4376 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe takeown.exe PID 4272 wrote to memory of 4376 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe takeown.exe PID 4272 wrote to memory of 4376 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe takeown.exe PID 4272 wrote to memory of 4044 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe icacls.exe PID 4272 wrote to memory of 4044 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe icacls.exe PID 4272 wrote to memory of 4044 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe icacls.exe PID 4272 wrote to memory of 1312 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe takeown.exe PID 4272 wrote to memory of 1312 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe takeown.exe PID 4272 wrote to memory of 1312 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe takeown.exe PID 4272 wrote to memory of 3376 4272 cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe"C:\Users\Admin\AppData\Local\Temp\cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "C:\Windows\system32\akxk.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\system32\akxk.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\akxk.exeFilesize
68KB
MD501d2a08c2976f6f7f3a6579d1d64aa26
SHA10f4fae2be30446e39ce0e14a5763dd7c41ff4b0f
SHA256cb2aa043ecd50bee7f4a660087e62ca45c2c1cbc433420512b0e7c8fa362c804
SHA51233d92ef8bd3a210ab47fe2fee961456779ce32aca0777c7a165fa1dbc669e8e7352ad6f4890a0193dc95ff59f9417c9ab54e160ff7872c622410300a03be5804
-
memory/228-144-0x0000000000000000-mapping.dmp
-
memory/1052-138-0x0000000000000000-mapping.dmp
-
memory/1148-162-0x0000000000000000-mapping.dmp
-
memory/1192-134-0x0000000000000000-mapping.dmp
-
memory/1208-142-0x0000000000000000-mapping.dmp
-
memory/1312-155-0x0000000000000000-mapping.dmp
-
memory/1560-163-0x0000000000000000-mapping.dmp
-
memory/1708-139-0x0000000000000000-mapping.dmp
-
memory/1776-166-0x0000000000000000-mapping.dmp
-
memory/1992-152-0x0000000000000000-mapping.dmp
-
memory/2076-149-0x0000000000000000-mapping.dmp
-
memory/2300-158-0x0000000000000000-mapping.dmp
-
memory/2560-137-0x0000000000000000-mapping.dmp
-
memory/2688-136-0x0000000000000000-mapping.dmp
-
memory/2812-148-0x0000000000000000-mapping.dmp
-
memory/2844-159-0x0000000000000000-mapping.dmp
-
memory/2848-147-0x0000000000000000-mapping.dmp
-
memory/2852-157-0x0000000000000000-mapping.dmp
-
memory/2864-165-0x0000000000000000-mapping.dmp
-
memory/3376-156-0x0000000000000000-mapping.dmp
-
memory/3460-150-0x0000000000000000-mapping.dmp
-
memory/3652-151-0x0000000000000000-mapping.dmp
-
memory/3728-143-0x0000000000000000-mapping.dmp
-
memory/3952-160-0x0000000000000000-mapping.dmp
-
memory/4044-154-0x0000000000000000-mapping.dmp
-
memory/4372-161-0x0000000000000000-mapping.dmp
-
memory/4376-153-0x0000000000000000-mapping.dmp
-
memory/4380-168-0x0000000000000000-mapping.dmp
-
memory/4404-145-0x0000000000000000-mapping.dmp
-
memory/4416-141-0x0000000000000000-mapping.dmp
-
memory/4436-167-0x0000000000000000-mapping.dmp
-
memory/4844-164-0x0000000000000000-mapping.dmp
-
memory/4916-146-0x0000000000000000-mapping.dmp
-
memory/5044-140-0x0000000000000000-mapping.dmp