Analysis
-
max time kernel
16s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
05-11-2024 13:43
Static task
static1
Behavioral task
behavioral1
Sample
280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe
Resource
win7-20241023-en
General
-
Target
280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe
-
Size
34KB
-
MD5
78cf3240cde4b1a491f16b61b66b5990
-
SHA1
80e488f19c6c572080893dd75c4a5dbc3393c7bb
-
SHA256
280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31b
-
SHA512
3c170762e75804da5d4c2df6f3ed36390e11037443b4f0cbc8a7feb8bd7e0e9d050a0fa11a0d05de2348fc6af0b4f7feb15e3fe61e89cdf78ee90b42acb5bcd7
-
SSDEEP
768:PumRjoV0l6yzJT+yeZoV0l6yzJT+yez+ZtYcFA/Vc6K:WTV04qxBjV04qxB4+Z8Vcl
Malware Config
Signatures
-
Possible privilege escalation attempt 16 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 3008 takeown.exe 1904 icacls.exe 3028 takeown.exe 1836 icacls.exe 2520 takeown.exe 2416 icacls.exe 340 takeown.exe 748 takeown.exe 1760 takeown.exe 2412 icacls.exe 1952 takeown.exe 2204 takeown.exe 2244 icacls.exe 2352 icacls.exe 1516 icacls.exe 2584 icacls.exe -
Modifies file permissions 1 TTPs 16 IoCs
Processes:
takeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exepid process 748 takeown.exe 2520 takeown.exe 340 takeown.exe 2352 icacls.exe 1952 takeown.exe 3028 takeown.exe 2204 takeown.exe 1516 icacls.exe 2584 icacls.exe 1760 takeown.exe 1836 icacls.exe 2416 icacls.exe 3008 takeown.exe 2412 icacls.exe 1904 icacls.exe 2244 icacls.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 43 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
icacls.execmd.exeicacls.execmd.exetaskkill.execmd.execmd.execmd.exe280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.execmd.exeicacls.execmd.execmd.exetakeown.execmd.exetakeown.execmd.exetakeown.exeicacls.execmd.exetaskkill.exetakeown.exetaskkill.exeicacls.execmd.exetakeown.execmd.exetakeown.exeicacls.execmd.execmd.execmd.exetakeown.execmd.execmd.exetaskkill.exetaskkill.exetakeown.exeicacls.execmd.execmd.exeicacls.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Kills process with taskkill 5 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1992 taskkill.exe 320 taskkill.exe 2160 taskkill.exe 2936 taskkill.exe 2688 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 1992 taskkill.exe Token: SeDebugPrivilege 320 taskkill.exe Token: SeDebugPrivilege 2160 taskkill.exe Token: SeDebugPrivilege 2936 taskkill.exe Token: SeDebugPrivilege 2688 taskkill.exe Token: SeTakeOwnershipPrivilege 2520 takeown.exe Token: SeTakeOwnershipPrivilege 340 takeown.exe Token: SeTakeOwnershipPrivilege 3008 takeown.exe Token: SeTakeOwnershipPrivilege 3028 takeown.exe Token: SeTakeOwnershipPrivilege 2204 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1584 wrote to memory of 1752 1584 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 1584 wrote to memory of 1752 1584 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 1584 wrote to memory of 1752 1584 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 1584 wrote to memory of 1752 1584 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 1752 wrote to memory of 1992 1752 cmd.exe taskkill.exe PID 1752 wrote to memory of 1992 1752 cmd.exe taskkill.exe PID 1752 wrote to memory of 1992 1752 cmd.exe taskkill.exe PID 1752 wrote to memory of 1992 1752 cmd.exe taskkill.exe PID 1584 wrote to memory of 2420 1584 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 1584 wrote to memory of 2420 1584 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 1584 wrote to memory of 2420 1584 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 1584 wrote to memory of 2420 1584 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 2420 wrote to memory of 320 2420 cmd.exe taskkill.exe PID 2420 wrote to memory of 320 2420 cmd.exe taskkill.exe PID 2420 wrote to memory of 320 2420 cmd.exe taskkill.exe PID 2420 wrote to memory of 320 2420 cmd.exe taskkill.exe PID 1584 wrote to memory of 2876 1584 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 1584 wrote to memory of 2876 1584 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 1584 wrote to memory of 2876 1584 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 1584 wrote to memory of 2876 1584 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 2876 wrote to memory of 2160 2876 cmd.exe taskkill.exe PID 2876 wrote to memory of 2160 2876 cmd.exe taskkill.exe PID 2876 wrote to memory of 2160 2876 cmd.exe taskkill.exe PID 2876 wrote to memory of 2160 2876 cmd.exe taskkill.exe PID 1584 wrote to memory of 2148 1584 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 1584 wrote to memory of 2148 1584 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 1584 wrote to memory of 2148 1584 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 1584 wrote to memory of 2148 1584 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 2148 wrote to memory of 2936 2148 cmd.exe taskkill.exe PID 2148 wrote to memory of 2936 2148 cmd.exe taskkill.exe PID 2148 wrote to memory of 2936 2148 cmd.exe taskkill.exe PID 2148 wrote to memory of 2936 2148 cmd.exe taskkill.exe PID 1584 wrote to memory of 2216 1584 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 1584 wrote to memory of 2216 1584 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 1584 wrote to memory of 2216 1584 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 1584 wrote to memory of 2216 1584 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 2216 wrote to memory of 2688 2216 cmd.exe taskkill.exe PID 2216 wrote to memory of 2688 2216 cmd.exe taskkill.exe PID 2216 wrote to memory of 2688 2216 cmd.exe taskkill.exe PID 2216 wrote to memory of 2688 2216 cmd.exe taskkill.exe PID 1584 wrote to memory of 2740 1584 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 1584 wrote to memory of 2740 1584 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 1584 wrote to memory of 2740 1584 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 1584 wrote to memory of 2740 1584 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 2740 wrote to memory of 2520 2740 cmd.exe takeown.exe PID 2740 wrote to memory of 2520 2740 cmd.exe takeown.exe PID 2740 wrote to memory of 2520 2740 cmd.exe takeown.exe PID 2740 wrote to memory of 2520 2740 cmd.exe takeown.exe PID 1584 wrote to memory of 2492 1584 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 1584 wrote to memory of 2492 1584 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 1584 wrote to memory of 2492 1584 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 1584 wrote to memory of 2492 1584 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 2492 wrote to memory of 2416 2492 cmd.exe icacls.exe PID 2492 wrote to memory of 2416 2492 cmd.exe icacls.exe PID 2492 wrote to memory of 2416 2492 cmd.exe icacls.exe PID 2492 wrote to memory of 2416 2492 cmd.exe icacls.exe PID 1584 wrote to memory of 1308 1584 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 1584 wrote to memory of 1308 1584 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 1584 wrote to memory of 1308 1584 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 1584 wrote to memory of 1308 1584 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 1308 wrote to memory of 340 1308 cmd.exe takeown.exe PID 1308 wrote to memory of 340 1308 cmd.exe takeown.exe PID 1308 wrote to memory of 340 1308 cmd.exe takeown.exe PID 1308 wrote to memory of 340 1308 cmd.exe takeown.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe"C:\Users\Admin\AppData\Local\Temp\280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im OpenConsole.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im OpenConsole.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1992 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /t /f /im WindowsTerminal.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im WindowsTerminal.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:320 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im regedit.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im regedit.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2160 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im cmd.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im cmd.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2936 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im taskmgr.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2688 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\regedit.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\regedit.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2520 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c icacls C:\Windows\regedit.exe /grant %username%:F2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\regedit.exe /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2416 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\cmd.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\cmd.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:340 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c icacls C:\Windows\System32\cmd.exe /grant %username%:F2⤵
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\cmd.exe /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2352 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\WindowsPowerShell\*.* /r /d y2⤵
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\WindowsPowerShell\*.* /r /d y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3008 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c icacls C:\Windows\System32\WindowsPowerShell\*.* /grant %username%:F /t2⤵
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\WindowsPowerShell\*.* /grant Admin:F /t3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2412 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\SysWOW64\WindowsPowerShell\*.* /r /d y2⤵
- System Location Discovery: System Language Discovery
PID:2104 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\WindowsPowerShell\*.* /r /d y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1952 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c icacls C:\Windows\SysWOW64\WindowsPowerShell\*.* /grant %username%:F /t2⤵
- System Location Discovery: System Language Discovery
PID:1900 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\WindowsPowerShell\*.* /grant Admin:F /t3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1904 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\regedt32.exe2⤵
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\regedt32.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3028 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c icacls C:\Windows\System32\regedt32.exe /grant %username%:F2⤵
- System Location Discovery: System Language Discovery
PID:2212 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\regedt32.exe /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2244 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\reg.exe2⤵
- System Location Discovery: System Language Discovery
PID:2076 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\reg.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2204 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c icacls C:\Windows\System32\reg.exe /grant %username%:F2⤵
- System Location Discovery: System Language Discovery
PID:1372 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\reg.exe /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe2⤵
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:748 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c icacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe /grant %username%:F2⤵
- System Location Discovery: System Language Discovery
PID:448 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2584 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe2⤵
- System Location Discovery: System Language Discovery
PID:1908 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1760 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c icacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /grant %username%:F2⤵
- System Location Discovery: System Language Discovery
PID:944 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1836