Analysis
-
max time kernel
106s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 13:43
Static task
static1
Behavioral task
behavioral1
Sample
280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe
Resource
win7-20241023-en
General
-
Target
280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe
-
Size
34KB
-
MD5
78cf3240cde4b1a491f16b61b66b5990
-
SHA1
80e488f19c6c572080893dd75c4a5dbc3393c7bb
-
SHA256
280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31b
-
SHA512
3c170762e75804da5d4c2df6f3ed36390e11037443b4f0cbc8a7feb8bd7e0e9d050a0fa11a0d05de2348fc6af0b4f7feb15e3fe61e89cdf78ee90b42acb5bcd7
-
SSDEEP
768:PumRjoV0l6yzJT+yeZoV0l6yzJT+yez+ZtYcFA/Vc6K:WTV04qxBjV04qxB4+Z8Vcl
Malware Config
Signatures
-
Possible privilege escalation attempt 16 IoCs
Processes:
icacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 3544 icacls.exe 4428 takeown.exe 4880 icacls.exe 4660 icacls.exe 516 icacls.exe 4176 icacls.exe 4792 takeown.exe 2372 takeown.exe 2200 icacls.exe 4072 takeown.exe 2584 takeown.exe 4004 takeown.exe 4036 takeown.exe 2856 icacls.exe 1416 takeown.exe 4344 icacls.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe -
Modifies file permissions 1 TTPs 16 IoCs
Processes:
takeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exepid process 2372 takeown.exe 1416 takeown.exe 516 icacls.exe 4660 icacls.exe 2856 icacls.exe 3544 icacls.exe 4036 takeown.exe 4344 icacls.exe 2200 icacls.exe 4880 icacls.exe 4428 takeown.exe 4004 takeown.exe 4176 icacls.exe 4792 takeown.exe 4072 takeown.exe 2584 takeown.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 43 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.execmd.execmd.exeicacls.exetaskkill.exetakeown.exetakeown.exeicacls.execmd.exetakeown.execmd.exeicacls.execmd.exeicacls.execmd.execmd.exetaskkill.exetakeown.execmd.execmd.exeicacls.exetaskkill.execmd.exetakeown.execmd.exetakeown.execmd.execmd.exetakeown.execmd.execmd.exetakeown.exe280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exetaskkill.exetaskkill.execmd.execmd.execmd.execmd.execmd.exeicacls.exeicacls.exeicacls.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe -
Kills process with taskkill 5 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 4324 taskkill.exe 996 taskkill.exe 4016 taskkill.exe 2124 taskkill.exe 2620 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 4016 taskkill.exe Token: SeDebugPrivilege 2124 taskkill.exe Token: SeDebugPrivilege 2620 taskkill.exe Token: SeDebugPrivilege 4324 taskkill.exe Token: SeDebugPrivilege 996 taskkill.exe Token: SeTakeOwnershipPrivilege 4036 takeown.exe Token: SeTakeOwnershipPrivilege 2372 takeown.exe Token: SeTakeOwnershipPrivilege 4792 takeown.exe Token: SeTakeOwnershipPrivilege 4428 takeown.exe Token: SeTakeOwnershipPrivilege 1416 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3564 wrote to memory of 4568 3564 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 3564 wrote to memory of 4568 3564 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 3564 wrote to memory of 4568 3564 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 4568 wrote to memory of 4016 4568 cmd.exe taskkill.exe PID 4568 wrote to memory of 4016 4568 cmd.exe taskkill.exe PID 4568 wrote to memory of 4016 4568 cmd.exe taskkill.exe PID 3564 wrote to memory of 3528 3564 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 3564 wrote to memory of 3528 3564 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 3564 wrote to memory of 3528 3564 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 3528 wrote to memory of 2124 3528 cmd.exe taskkill.exe PID 3528 wrote to memory of 2124 3528 cmd.exe taskkill.exe PID 3528 wrote to memory of 2124 3528 cmd.exe taskkill.exe PID 3564 wrote to memory of 4616 3564 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 3564 wrote to memory of 4616 3564 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 3564 wrote to memory of 4616 3564 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 4616 wrote to memory of 2620 4616 cmd.exe taskkill.exe PID 4616 wrote to memory of 2620 4616 cmd.exe taskkill.exe PID 4616 wrote to memory of 2620 4616 cmd.exe taskkill.exe PID 3564 wrote to memory of 4680 3564 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 3564 wrote to memory of 4680 3564 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 3564 wrote to memory of 4680 3564 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 4680 wrote to memory of 4324 4680 cmd.exe taskkill.exe PID 4680 wrote to memory of 4324 4680 cmd.exe taskkill.exe PID 4680 wrote to memory of 4324 4680 cmd.exe taskkill.exe PID 3564 wrote to memory of 4704 3564 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 3564 wrote to memory of 4704 3564 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 3564 wrote to memory of 4704 3564 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 4704 wrote to memory of 996 4704 cmd.exe taskkill.exe PID 4704 wrote to memory of 996 4704 cmd.exe taskkill.exe PID 4704 wrote to memory of 996 4704 cmd.exe taskkill.exe PID 3564 wrote to memory of 804 3564 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 3564 wrote to memory of 804 3564 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 3564 wrote to memory of 804 3564 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 804 wrote to memory of 4036 804 cmd.exe takeown.exe PID 804 wrote to memory of 4036 804 cmd.exe takeown.exe PID 804 wrote to memory of 4036 804 cmd.exe takeown.exe PID 3564 wrote to memory of 2144 3564 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 3564 wrote to memory of 2144 3564 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 3564 wrote to memory of 2144 3564 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 2144 wrote to memory of 4344 2144 cmd.exe icacls.exe PID 2144 wrote to memory of 4344 2144 cmd.exe icacls.exe PID 2144 wrote to memory of 4344 2144 cmd.exe icacls.exe PID 3564 wrote to memory of 2756 3564 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 3564 wrote to memory of 2756 3564 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 3564 wrote to memory of 2756 3564 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 2756 wrote to memory of 2372 2756 cmd.exe takeown.exe PID 2756 wrote to memory of 2372 2756 cmd.exe takeown.exe PID 2756 wrote to memory of 2372 2756 cmd.exe takeown.exe PID 3564 wrote to memory of 3416 3564 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 3564 wrote to memory of 3416 3564 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 3564 wrote to memory of 3416 3564 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 3416 wrote to memory of 2200 3416 cmd.exe icacls.exe PID 3416 wrote to memory of 2200 3416 cmd.exe icacls.exe PID 3416 wrote to memory of 2200 3416 cmd.exe icacls.exe PID 3564 wrote to memory of 2860 3564 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 3564 wrote to memory of 2860 3564 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 3564 wrote to memory of 2860 3564 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 2860 wrote to memory of 4792 2860 cmd.exe takeown.exe PID 2860 wrote to memory of 4792 2860 cmd.exe takeown.exe PID 2860 wrote to memory of 4792 2860 cmd.exe takeown.exe PID 3564 wrote to memory of 2328 3564 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 3564 wrote to memory of 2328 3564 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 3564 wrote to memory of 2328 3564 280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe cmd.exe PID 2328 wrote to memory of 4880 2328 cmd.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe"C:\Users\Admin\AppData\Local\Temp\280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im OpenConsole.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im OpenConsole.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4016 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /t /f /im WindowsTerminal.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im WindowsTerminal.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2124 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im regedit.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im regedit.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2620 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im cmd.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im cmd.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4324 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im taskmgr.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:996 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\regedit.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\regedit.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4036 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c icacls C:\Windows\regedit.exe /grant %username%:F2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\regedit.exe /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4344 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\cmd.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\cmd.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2372 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c icacls C:\Windows\System32\cmd.exe /grant %username%:F2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\cmd.exe /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2200 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\WindowsPowerShell\*.* /r /d y2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\WindowsPowerShell\*.* /r /d y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4792 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c icacls C:\Windows\System32\WindowsPowerShell\*.* /grant %username%:F /t2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\WindowsPowerShell\*.* /grant Admin:F /t3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4880 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\SysWOW64\WindowsPowerShell\*.* /r /d y2⤵
- System Location Discovery: System Language Discovery
PID:2596 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\WindowsPowerShell\*.* /r /d y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4072 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c icacls C:\Windows\SysWOW64\WindowsPowerShell\*.* /grant %username%:F /t2⤵
- System Location Discovery: System Language Discovery
PID:2868 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\WindowsPowerShell\*.* /grant Admin:F /t3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4660 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\regedt32.exe2⤵
- System Location Discovery: System Language Discovery
PID:3648 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\regedt32.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4428 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c icacls C:\Windows\System32\regedt32.exe /grant %username%:F2⤵
- System Location Discovery: System Language Discovery
PID:4796 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\regedt32.exe /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2856 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\reg.exe2⤵
- System Location Discovery: System Language Discovery
PID:3868 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\reg.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1416 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c icacls C:\Windows\System32\reg.exe /grant %username%:F2⤵
- System Location Discovery: System Language Discovery
PID:372 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\reg.exe /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe2⤵
- System Location Discovery: System Language Discovery
PID:4548 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2584 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c icacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe /grant %username%:F2⤵
- System Location Discovery: System Language Discovery
PID:680 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4176 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe2⤵
- System Location Discovery: System Language Discovery
PID:3356 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4004 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c icacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /grant %username%:F2⤵
- System Location Discovery: System Language Discovery
PID:1092 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:3544