Analysis
-
max time kernel
112s -
max time network
117s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
01-10-2022 18:56
Static task
static1
Behavioral task
behavioral1
Sample
e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe
Resource
win7-20220812-en
General
-
Target
e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe
-
Size
72KB
-
MD5
0a0b8feecd353748e99aa8e920dc45b0
-
SHA1
35b5f1492c3508b0e5dd218befedbd1bbb01391c
-
SHA256
e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d
-
SHA512
0b3adaf3e69fd0ca68a555f326601cc61a39553162a0b810eef6e1ad6bde4c892d1a6d8c2bdaf3323589161ead6158dabb0de6b5674ed12198688c8754f32d85
-
SSDEEP
1536:7IRI+tLOd1NfqA5GdXZpkL40fHc2kbpE5WK99BLodcnPoX:7/oU35GdppkL40fHc2kbpE5WK99BLodd
Malware Config
Signatures
-
Possible privilege escalation attempt 34 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exepid process 1096 icacls.exe 4596 icacls.exe 1356 icacls.exe 1712 icacls.exe 1972 icacls.exe 3040 icacls.exe 1824 icacls.exe 3808 icacls.exe 4032 takeown.exe 4620 takeown.exe 1072 icacls.exe 2396 takeown.exe 4848 icacls.exe 4396 takeown.exe 1952 takeown.exe 368 icacls.exe 3956 takeown.exe 4176 takeown.exe 2960 takeown.exe 1980 icacls.exe 1836 takeown.exe 3492 icacls.exe 3908 takeown.exe 1192 takeown.exe 2412 takeown.exe 2016 takeown.exe 4924 icacls.exe 4380 icacls.exe 2236 takeown.exe 4620 icacls.exe 4112 takeown.exe 2604 icacls.exe 3548 takeown.exe 1756 takeown.exe -
Modifies file permissions 1 TTPs 34 IoCs
Processes:
takeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 4112 takeown.exe 4848 icacls.exe 4620 icacls.exe 3956 takeown.exe 4396 takeown.exe 4176 takeown.exe 4032 takeown.exe 1952 takeown.exe 2396 takeown.exe 3040 icacls.exe 4924 icacls.exe 3908 takeown.exe 368 icacls.exe 2960 takeown.exe 2604 icacls.exe 1980 icacls.exe 1072 icacls.exe 3492 icacls.exe 2016 takeown.exe 2412 takeown.exe 4596 icacls.exe 3548 takeown.exe 1836 takeown.exe 1356 icacls.exe 1824 icacls.exe 4620 takeown.exe 2236 takeown.exe 1192 takeown.exe 1756 takeown.exe 4380 icacls.exe 1712 icacls.exe 1972 icacls.exe 3808 icacls.exe 1096 icacls.exe -
Drops file in System32 directory 6 IoCs
Processes:
e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exedescription ioc process File opened for modification C:\Windows\SysWOW64\ftp.exe e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe File opened for modification C:\Windows\SysWOW64\wscript.exe e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe File opened for modification C:\Windows\SysWOW64\cscript.exe e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe File created C:\Windows\SysWOW64\qqfs.exe e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe File opened for modification C:\Windows\SysWOW64\qqfs.exe e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe File opened for modification C:\Windows\SysWOW64\cmd.exe e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 2960 takeown.exe Token: SeTakeOwnershipPrivilege 2396 takeown.exe Token: SeTakeOwnershipPrivilege 1192 takeown.exe Token: SeTakeOwnershipPrivilege 3548 takeown.exe Token: SeTakeOwnershipPrivilege 1756 takeown.exe Token: SeTakeOwnershipPrivilege 3956 takeown.exe Token: SeTakeOwnershipPrivilege 4620 takeown.exe Token: SeTakeOwnershipPrivilege 2236 takeown.exe Token: SeTakeOwnershipPrivilege 2412 takeown.exe Token: SeTakeOwnershipPrivilege 1836 takeown.exe Token: SeTakeOwnershipPrivilege 2016 takeown.exe Token: SeTakeOwnershipPrivilege 4396 takeown.exe Token: SeTakeOwnershipPrivilege 4176 takeown.exe Token: SeTakeOwnershipPrivilege 3908 takeown.exe Token: SeTakeOwnershipPrivilege 4032 takeown.exe Token: SeTakeOwnershipPrivilege 1952 takeown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exepid process 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exedescription pid process target process PID 1412 wrote to memory of 4112 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe takeown.exe PID 1412 wrote to memory of 4112 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe takeown.exe PID 1412 wrote to memory of 4112 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe takeown.exe PID 1412 wrote to memory of 368 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe icacls.exe PID 1412 wrote to memory of 368 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe icacls.exe PID 1412 wrote to memory of 368 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe icacls.exe PID 1412 wrote to memory of 2960 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe takeown.exe PID 1412 wrote to memory of 2960 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe takeown.exe PID 1412 wrote to memory of 2960 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe takeown.exe PID 1412 wrote to memory of 2604 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe icacls.exe PID 1412 wrote to memory of 2604 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe icacls.exe PID 1412 wrote to memory of 2604 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe icacls.exe PID 1412 wrote to memory of 2396 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe takeown.exe PID 1412 wrote to memory of 2396 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe takeown.exe PID 1412 wrote to memory of 2396 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe takeown.exe PID 1412 wrote to memory of 1356 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe icacls.exe PID 1412 wrote to memory of 1356 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe icacls.exe PID 1412 wrote to memory of 1356 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe icacls.exe PID 1412 wrote to memory of 1192 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe takeown.exe PID 1412 wrote to memory of 1192 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe takeown.exe PID 1412 wrote to memory of 1192 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe takeown.exe PID 1412 wrote to memory of 1824 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe icacls.exe PID 1412 wrote to memory of 1824 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe icacls.exe PID 1412 wrote to memory of 1824 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe icacls.exe PID 1412 wrote to memory of 3548 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe takeown.exe PID 1412 wrote to memory of 3548 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe takeown.exe PID 1412 wrote to memory of 3548 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe takeown.exe PID 1412 wrote to memory of 4848 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe icacls.exe PID 1412 wrote to memory of 4848 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe icacls.exe PID 1412 wrote to memory of 4848 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe icacls.exe PID 1412 wrote to memory of 1756 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe takeown.exe PID 1412 wrote to memory of 1756 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe takeown.exe PID 1412 wrote to memory of 1756 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe takeown.exe PID 1412 wrote to memory of 1980 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe icacls.exe PID 1412 wrote to memory of 1980 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe icacls.exe PID 1412 wrote to memory of 1980 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe icacls.exe PID 1412 wrote to memory of 3956 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe takeown.exe PID 1412 wrote to memory of 3956 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe takeown.exe PID 1412 wrote to memory of 3956 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe takeown.exe PID 1412 wrote to memory of 4380 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe icacls.exe PID 1412 wrote to memory of 4380 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe icacls.exe PID 1412 wrote to memory of 4380 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe icacls.exe PID 1412 wrote to memory of 4620 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe takeown.exe PID 1412 wrote to memory of 4620 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe takeown.exe PID 1412 wrote to memory of 4620 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe takeown.exe PID 1412 wrote to memory of 1712 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe icacls.exe PID 1412 wrote to memory of 1712 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe icacls.exe PID 1412 wrote to memory of 1712 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe icacls.exe PID 1412 wrote to memory of 2236 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe takeown.exe PID 1412 wrote to memory of 2236 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe takeown.exe PID 1412 wrote to memory of 2236 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe takeown.exe PID 1412 wrote to memory of 1072 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe icacls.exe PID 1412 wrote to memory of 1072 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe icacls.exe PID 1412 wrote to memory of 1072 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe icacls.exe PID 1412 wrote to memory of 2412 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe takeown.exe PID 1412 wrote to memory of 2412 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe takeown.exe PID 1412 wrote to memory of 2412 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe takeown.exe PID 1412 wrote to memory of 1972 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe icacls.exe PID 1412 wrote to memory of 1972 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe icacls.exe PID 1412 wrote to memory of 1972 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe icacls.exe PID 1412 wrote to memory of 1836 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe takeown.exe PID 1412 wrote to memory of 1836 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe takeown.exe PID 1412 wrote to memory of 1836 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe takeown.exe PID 1412 wrote to memory of 3492 1412 e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe"C:\Users\Admin\AppData\Local\Temp\e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "C:\Windows\system32\qqfs.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\system32\qqfs.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\qqfs.exeFilesize
72KB
MD50a0b8feecd353748e99aa8e920dc45b0
SHA135b5f1492c3508b0e5dd218befedbd1bbb01391c
SHA256e9994d8fa465cc98138ee550b5e96465331614a71431d1f8f9d077547816369d
SHA5120b3adaf3e69fd0ca68a555f326601cc61a39553162a0b810eef6e1ad6bde4c892d1a6d8c2bdaf3323589161ead6158dabb0de6b5674ed12198688c8754f32d85
-
memory/368-136-0x0000000000000000-mapping.dmp
-
memory/1072-152-0x0000000000000000-mapping.dmp
-
memory/1096-166-0x0000000000000000-mapping.dmp
-
memory/1192-141-0x0000000000000000-mapping.dmp
-
memory/1356-140-0x0000000000000000-mapping.dmp
-
memory/1712-150-0x0000000000000000-mapping.dmp
-
memory/1756-145-0x0000000000000000-mapping.dmp
-
memory/1824-142-0x0000000000000000-mapping.dmp
-
memory/1836-155-0x0000000000000000-mapping.dmp
-
memory/1952-167-0x0000000000000000-mapping.dmp
-
memory/1972-154-0x0000000000000000-mapping.dmp
-
memory/1980-146-0x0000000000000000-mapping.dmp
-
memory/2016-157-0x0000000000000000-mapping.dmp
-
memory/2236-151-0x0000000000000000-mapping.dmp
-
memory/2396-139-0x0000000000000000-mapping.dmp
-
memory/2412-153-0x0000000000000000-mapping.dmp
-
memory/2604-138-0x0000000000000000-mapping.dmp
-
memory/2960-137-0x0000000000000000-mapping.dmp
-
memory/3040-158-0x0000000000000000-mapping.dmp
-
memory/3492-156-0x0000000000000000-mapping.dmp
-
memory/3548-143-0x0000000000000000-mapping.dmp
-
memory/3808-164-0x0000000000000000-mapping.dmp
-
memory/3908-163-0x0000000000000000-mapping.dmp
-
memory/3956-147-0x0000000000000000-mapping.dmp
-
memory/4032-165-0x0000000000000000-mapping.dmp
-
memory/4112-134-0x0000000000000000-mapping.dmp
-
memory/4176-161-0x0000000000000000-mapping.dmp
-
memory/4380-148-0x0000000000000000-mapping.dmp
-
memory/4396-159-0x0000000000000000-mapping.dmp
-
memory/4596-168-0x0000000000000000-mapping.dmp
-
memory/4620-160-0x0000000000000000-mapping.dmp
-
memory/4620-149-0x0000000000000000-mapping.dmp
-
memory/4848-144-0x0000000000000000-mapping.dmp
-
memory/4924-162-0x0000000000000000-mapping.dmp