Analysis
-
max time kernel
192s -
max time network
235s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
08-11-2022 11:21
Static task
static1
Behavioral task
behavioral1
Sample
b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe
Resource
win7-20220812-en
General
-
Target
b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe
-
Size
76KB
-
MD5
00a0ee955f28a00d3e0153adad8ccbd6
-
SHA1
aacc4109349377d1a0ef68512dfd3d812a514fdd
-
SHA256
b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f
-
SHA512
12c996808750974b611a768b018b52bbd11eb67d1389d3e3232858c7ef70a78da2fee303963240f5045fedb9c85b0347748c362ccfa8752100cfa38351260ce9
-
SSDEEP
768:YIE5SMy0AvkBrsVbJYv79+Hi6XzY1nZCdRFoEGUzrbHYiI3/1jW8xfZdjo0XY+Xt:YwLJYp+dOCdRWEGsrq3N1j5XY+q5o
Malware Config
Signatures
-
Possible privilege escalation attempt 34 IoCs
Processes:
icacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exepid process 2032 icacls.exe 4160 icacls.exe 4132 takeown.exe 3424 takeown.exe 3756 icacls.exe 2268 icacls.exe 3048 icacls.exe 2964 takeown.exe 2696 icacls.exe 3444 takeown.exe 396 icacls.exe 1148 takeown.exe 4588 takeown.exe 4588 icacls.exe 2564 icacls.exe 1128 icacls.exe 2248 takeown.exe 4960 icacls.exe 536 takeown.exe 1480 takeown.exe 3648 takeown.exe 924 takeown.exe 5104 takeown.exe 3724 icacls.exe 5052 takeown.exe 2512 icacls.exe 1140 takeown.exe 1892 takeown.exe 4404 icacls.exe 2060 icacls.exe 5028 takeown.exe 3428 icacls.exe 4508 icacls.exe 4320 takeown.exe -
Modifies file permissions 1 TTPs 34 IoCs
Processes:
icacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exepid process 4160 icacls.exe 2696 icacls.exe 4508 icacls.exe 4320 takeown.exe 2032 icacls.exe 5028 takeown.exe 3724 icacls.exe 1480 takeown.exe 396 icacls.exe 1140 takeown.exe 4132 takeown.exe 2268 icacls.exe 1128 icacls.exe 4960 icacls.exe 2512 icacls.exe 3648 takeown.exe 924 takeown.exe 1148 takeown.exe 3048 icacls.exe 3428 icacls.exe 3424 takeown.exe 4404 icacls.exe 4588 icacls.exe 2248 takeown.exe 1892 takeown.exe 4588 takeown.exe 3756 icacls.exe 2964 takeown.exe 5104 takeown.exe 3444 takeown.exe 2060 icacls.exe 5052 takeown.exe 2564 icacls.exe 536 takeown.exe -
Drops file in System32 directory 6 IoCs
Processes:
b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exedescription ioc process File opened for modification C:\Windows\SysWOW64\wscript.exe b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe File opened for modification C:\Windows\SysWOW64\cscript.exe b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe File created C:\Windows\SysWOW64\ukwx.exe b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe File opened for modification C:\Windows\SysWOW64\ukwx.exe b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe File opened for modification C:\Windows\SysWOW64\cmd.exe b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe File opened for modification C:\Windows\SysWOW64\ftp.exe b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 536 takeown.exe Token: SeTakeOwnershipPrivilege 1480 takeown.exe Token: SeTakeOwnershipPrivilege 5028 takeown.exe Token: SeTakeOwnershipPrivilege 5052 takeown.exe Token: SeTakeOwnershipPrivilege 3648 takeown.exe Token: SeTakeOwnershipPrivilege 924 takeown.exe Token: SeTakeOwnershipPrivilege 5104 takeown.exe Token: SeTakeOwnershipPrivilege 1140 takeown.exe Token: SeTakeOwnershipPrivilege 4132 takeown.exe Token: SeTakeOwnershipPrivilege 1148 takeown.exe Token: SeTakeOwnershipPrivilege 2964 takeown.exe Token: SeTakeOwnershipPrivilege 3424 takeown.exe Token: SeTakeOwnershipPrivilege 2248 takeown.exe Token: SeTakeOwnershipPrivilege 4320 takeown.exe Token: SeTakeOwnershipPrivilege 1892 takeown.exe Token: SeTakeOwnershipPrivilege 4588 takeown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exepid process 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exedescription pid process target process PID 4688 wrote to memory of 3444 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe takeown.exe PID 4688 wrote to memory of 3444 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe takeown.exe PID 4688 wrote to memory of 3444 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe takeown.exe PID 4688 wrote to memory of 2032 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe icacls.exe PID 4688 wrote to memory of 2032 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe icacls.exe PID 4688 wrote to memory of 2032 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe icacls.exe PID 4688 wrote to memory of 536 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe takeown.exe PID 4688 wrote to memory of 536 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe takeown.exe PID 4688 wrote to memory of 536 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe takeown.exe PID 4688 wrote to memory of 4588 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe icacls.exe PID 4688 wrote to memory of 4588 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe icacls.exe PID 4688 wrote to memory of 4588 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe icacls.exe PID 4688 wrote to memory of 1480 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe takeown.exe PID 4688 wrote to memory of 1480 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe takeown.exe PID 4688 wrote to memory of 1480 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe takeown.exe PID 4688 wrote to memory of 2060 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe icacls.exe PID 4688 wrote to memory of 2060 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe icacls.exe PID 4688 wrote to memory of 2060 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe icacls.exe PID 4688 wrote to memory of 5028 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe takeown.exe PID 4688 wrote to memory of 5028 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe takeown.exe PID 4688 wrote to memory of 5028 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe takeown.exe PID 4688 wrote to memory of 3724 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe icacls.exe PID 4688 wrote to memory of 3724 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe icacls.exe PID 4688 wrote to memory of 3724 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe icacls.exe PID 4688 wrote to memory of 5052 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe takeown.exe PID 4688 wrote to memory of 5052 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe takeown.exe PID 4688 wrote to memory of 5052 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe takeown.exe PID 4688 wrote to memory of 2268 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe icacls.exe PID 4688 wrote to memory of 2268 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe icacls.exe PID 4688 wrote to memory of 2268 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe icacls.exe PID 4688 wrote to memory of 3648 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe takeown.exe PID 4688 wrote to memory of 3648 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe takeown.exe PID 4688 wrote to memory of 3648 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe takeown.exe PID 4688 wrote to memory of 2512 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe icacls.exe PID 4688 wrote to memory of 2512 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe icacls.exe PID 4688 wrote to memory of 2512 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe icacls.exe PID 4688 wrote to memory of 924 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe takeown.exe PID 4688 wrote to memory of 924 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe takeown.exe PID 4688 wrote to memory of 924 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe takeown.exe PID 4688 wrote to memory of 2564 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe icacls.exe PID 4688 wrote to memory of 2564 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe icacls.exe PID 4688 wrote to memory of 2564 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe icacls.exe PID 4688 wrote to memory of 5104 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe takeown.exe PID 4688 wrote to memory of 5104 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe takeown.exe PID 4688 wrote to memory of 5104 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe takeown.exe PID 4688 wrote to memory of 396 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe icacls.exe PID 4688 wrote to memory of 396 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe icacls.exe PID 4688 wrote to memory of 396 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe icacls.exe PID 4688 wrote to memory of 1140 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe takeown.exe PID 4688 wrote to memory of 1140 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe takeown.exe PID 4688 wrote to memory of 1140 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe takeown.exe PID 4688 wrote to memory of 4160 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe icacls.exe PID 4688 wrote to memory of 4160 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe icacls.exe PID 4688 wrote to memory of 4160 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe icacls.exe PID 4688 wrote to memory of 4132 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe takeown.exe PID 4688 wrote to memory of 4132 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe takeown.exe PID 4688 wrote to memory of 4132 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe takeown.exe PID 4688 wrote to memory of 1128 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe icacls.exe PID 4688 wrote to memory of 1128 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe icacls.exe PID 4688 wrote to memory of 1128 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe icacls.exe PID 4688 wrote to memory of 1148 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe takeown.exe PID 4688 wrote to memory of 1148 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe takeown.exe PID 4688 wrote to memory of 1148 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe takeown.exe PID 4688 wrote to memory of 3048 4688 b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe"C:\Users\Admin\AppData\Local\Temp\b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "C:\Windows\system32\ukwx.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\system32\ukwx.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\ukwx.exeFilesize
76KB
MD500a0ee955f28a00d3e0153adad8ccbd6
SHA1aacc4109349377d1a0ef68512dfd3d812a514fdd
SHA256b31bfb5cddc0139d4d1a070897e9925ae228f27936b5af2737720dbad336578f
SHA51212c996808750974b611a768b018b52bbd11eb67d1389d3e3232858c7ef70a78da2fee303963240f5045fedb9c85b0347748c362ccfa8752100cfa38351260ce9
-
memory/396-150-0x0000000000000000-mapping.dmp
-
memory/536-137-0x0000000000000000-mapping.dmp
-
memory/924-147-0x0000000000000000-mapping.dmp
-
memory/1128-154-0x0000000000000000-mapping.dmp
-
memory/1140-151-0x0000000000000000-mapping.dmp
-
memory/1148-155-0x0000000000000000-mapping.dmp
-
memory/1480-139-0x0000000000000000-mapping.dmp
-
memory/1892-165-0x0000000000000000-mapping.dmp
-
memory/2032-136-0x0000000000000000-mapping.dmp
-
memory/2060-140-0x0000000000000000-mapping.dmp
-
memory/2248-161-0x0000000000000000-mapping.dmp
-
memory/2268-144-0x0000000000000000-mapping.dmp
-
memory/2512-146-0x0000000000000000-mapping.dmp
-
memory/2564-148-0x0000000000000000-mapping.dmp
-
memory/2696-160-0x0000000000000000-mapping.dmp
-
memory/2964-157-0x0000000000000000-mapping.dmp
-
memory/3048-156-0x0000000000000000-mapping.dmp
-
memory/3424-159-0x0000000000000000-mapping.dmp
-
memory/3428-158-0x0000000000000000-mapping.dmp
-
memory/3444-134-0x0000000000000000-mapping.dmp
-
memory/3648-145-0x0000000000000000-mapping.dmp
-
memory/3724-142-0x0000000000000000-mapping.dmp
-
memory/3756-168-0x0000000000000000-mapping.dmp
-
memory/4132-153-0x0000000000000000-mapping.dmp
-
memory/4160-152-0x0000000000000000-mapping.dmp
-
memory/4320-163-0x0000000000000000-mapping.dmp
-
memory/4404-166-0x0000000000000000-mapping.dmp
-
memory/4508-162-0x0000000000000000-mapping.dmp
-
memory/4588-138-0x0000000000000000-mapping.dmp
-
memory/4588-167-0x0000000000000000-mapping.dmp
-
memory/4960-164-0x0000000000000000-mapping.dmp
-
memory/5028-141-0x0000000000000000-mapping.dmp
-
memory/5052-143-0x0000000000000000-mapping.dmp
-
memory/5104-149-0x0000000000000000-mapping.dmp