Analysis
-
max time kernel
92s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01-10-2022 19:02
Static task
static1
Behavioral task
behavioral1
Sample
96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe
Resource
win7-20220812-en
General
-
Target
96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe
-
Size
68KB
-
MD5
01b4a6d2a221aea621b86662aee7d8c0
-
SHA1
c968452bfa4ae792c14b12522f0dd8347a36bf83
-
SHA256
96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256
-
SHA512
cedbc2f13a25d9e1a440c6cb9c8d076bcba912dce79cedde54c3dec8a92841717b38818f267bdff43890918ec6d5d380eda157b4173ac488ce8e01ed8247984a
-
SSDEEP
1536:tiKPa3rtPbJx07/LIUIkfDq8Wp7WJa+/1JFx3V8:tiqA9lx07cUIkfDq8WpyJa+fF8
Malware Config
Signatures
-
Possible privilege escalation attempt 34 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exepid process 4308 icacls.exe 2960 takeown.exe 792 icacls.exe 4056 takeown.exe 4624 icacls.exe 2252 takeown.exe 3596 icacls.exe 1732 takeown.exe 1648 takeown.exe 3212 takeown.exe 4744 takeown.exe 2228 icacls.exe 856 icacls.exe 3552 takeown.exe 1988 takeown.exe 2296 takeown.exe 1976 takeown.exe 3980 icacls.exe 2512 takeown.exe 2504 icacls.exe 4700 takeown.exe 4304 icacls.exe 4296 icacls.exe 1788 icacls.exe 2036 icacls.exe 428 icacls.exe 3440 takeown.exe 1944 icacls.exe 4044 takeown.exe 1380 takeown.exe 4756 icacls.exe 3176 icacls.exe 2824 icacls.exe 2692 takeown.exe -
Modifies file permissions 1 TTPs 34 IoCs
Processes:
takeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 2296 takeown.exe 792 icacls.exe 4700 takeown.exe 2512 takeown.exe 1732 takeown.exe 1788 icacls.exe 4756 icacls.exe 2504 icacls.exe 1648 takeown.exe 1976 takeown.exe 428 icacls.exe 4304 icacls.exe 1988 takeown.exe 4056 takeown.exe 3552 takeown.exe 1380 takeown.exe 2252 takeown.exe 3212 takeown.exe 2228 icacls.exe 2824 icacls.exe 4296 icacls.exe 4744 takeown.exe 856 icacls.exe 3440 takeown.exe 4624 icacls.exe 2960 takeown.exe 2692 takeown.exe 4044 takeown.exe 3176 icacls.exe 2036 icacls.exe 3596 icacls.exe 3980 icacls.exe 4308 icacls.exe 1944 icacls.exe -
Drops file in System32 directory 6 IoCs
Processes:
96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exedescription ioc process File opened for modification C:\Windows\SysWOW64\cmd.exe 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe File opened for modification C:\Windows\SysWOW64\ftp.exe 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe File opened for modification C:\Windows\SysWOW64\wscript.exe 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe File opened for modification C:\Windows\SysWOW64\cscript.exe 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe File created C:\Windows\SysWOW64\quez.exe 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe File opened for modification C:\Windows\SysWOW64\quez.exe 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 1988 takeown.exe Token: SeTakeOwnershipPrivilege 4056 takeown.exe Token: SeTakeOwnershipPrivilege 4700 takeown.exe Token: SeTakeOwnershipPrivilege 2296 takeown.exe Token: SeTakeOwnershipPrivilege 1648 takeown.exe Token: SeTakeOwnershipPrivilege 1976 takeown.exe Token: SeTakeOwnershipPrivilege 2252 takeown.exe Token: SeTakeOwnershipPrivilege 3212 takeown.exe Token: SeTakeOwnershipPrivilege 2512 takeown.exe Token: SeTakeOwnershipPrivilege 4744 takeown.exe Token: SeTakeOwnershipPrivilege 1732 takeown.exe Token: SeTakeOwnershipPrivilege 2960 takeown.exe Token: SeTakeOwnershipPrivilege 2692 takeown.exe Token: SeTakeOwnershipPrivilege 3440 takeown.exe Token: SeTakeOwnershipPrivilege 4044 takeown.exe Token: SeTakeOwnershipPrivilege 3552 takeown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exepid process 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exedescription pid process target process PID 1828 wrote to memory of 1380 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe takeown.exe PID 1828 wrote to memory of 1380 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe takeown.exe PID 1828 wrote to memory of 1380 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe takeown.exe PID 1828 wrote to memory of 4756 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe icacls.exe PID 1828 wrote to memory of 4756 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe icacls.exe PID 1828 wrote to memory of 4756 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe icacls.exe PID 1828 wrote to memory of 1988 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe takeown.exe PID 1828 wrote to memory of 1988 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe takeown.exe PID 1828 wrote to memory of 1988 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe takeown.exe PID 1828 wrote to memory of 3176 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe icacls.exe PID 1828 wrote to memory of 3176 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe icacls.exe PID 1828 wrote to memory of 3176 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe icacls.exe PID 1828 wrote to memory of 4056 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe takeown.exe PID 1828 wrote to memory of 4056 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe takeown.exe PID 1828 wrote to memory of 4056 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe takeown.exe PID 1828 wrote to memory of 2504 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe icacls.exe PID 1828 wrote to memory of 2504 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe icacls.exe PID 1828 wrote to memory of 2504 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe icacls.exe PID 1828 wrote to memory of 4700 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe takeown.exe PID 1828 wrote to memory of 4700 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe takeown.exe PID 1828 wrote to memory of 4700 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe takeown.exe PID 1828 wrote to memory of 2824 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe icacls.exe PID 1828 wrote to memory of 2824 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe icacls.exe PID 1828 wrote to memory of 2824 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe icacls.exe PID 1828 wrote to memory of 2296 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe takeown.exe PID 1828 wrote to memory of 2296 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe takeown.exe PID 1828 wrote to memory of 2296 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe takeown.exe PID 1828 wrote to memory of 2036 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe icacls.exe PID 1828 wrote to memory of 2036 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe icacls.exe PID 1828 wrote to memory of 2036 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe icacls.exe PID 1828 wrote to memory of 1648 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe takeown.exe PID 1828 wrote to memory of 1648 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe takeown.exe PID 1828 wrote to memory of 1648 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe takeown.exe PID 1828 wrote to memory of 4624 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe icacls.exe PID 1828 wrote to memory of 4624 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe icacls.exe PID 1828 wrote to memory of 4624 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe icacls.exe PID 1828 wrote to memory of 1976 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe takeown.exe PID 1828 wrote to memory of 1976 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe takeown.exe PID 1828 wrote to memory of 1976 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe takeown.exe PID 1828 wrote to memory of 428 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe icacls.exe PID 1828 wrote to memory of 428 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe icacls.exe PID 1828 wrote to memory of 428 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe icacls.exe PID 1828 wrote to memory of 2252 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe takeown.exe PID 1828 wrote to memory of 2252 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe takeown.exe PID 1828 wrote to memory of 2252 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe takeown.exe PID 1828 wrote to memory of 3596 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe icacls.exe PID 1828 wrote to memory of 3596 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe icacls.exe PID 1828 wrote to memory of 3596 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe icacls.exe PID 1828 wrote to memory of 3212 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe takeown.exe PID 1828 wrote to memory of 3212 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe takeown.exe PID 1828 wrote to memory of 3212 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe takeown.exe PID 1828 wrote to memory of 3980 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe icacls.exe PID 1828 wrote to memory of 3980 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe icacls.exe PID 1828 wrote to memory of 3980 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe icacls.exe PID 1828 wrote to memory of 2512 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe takeown.exe PID 1828 wrote to memory of 2512 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe takeown.exe PID 1828 wrote to memory of 2512 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe takeown.exe PID 1828 wrote to memory of 4296 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe icacls.exe PID 1828 wrote to memory of 4296 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe icacls.exe PID 1828 wrote to memory of 4296 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe icacls.exe PID 1828 wrote to memory of 4744 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe takeown.exe PID 1828 wrote to memory of 4744 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe takeown.exe PID 1828 wrote to memory of 4744 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe takeown.exe PID 1828 wrote to memory of 2228 1828 96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe"C:\Users\Admin\AppData\Local\Temp\96298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "C:\Windows\system32\quez.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\system32\quez.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\quez.exeFilesize
68KB
MD501b4a6d2a221aea621b86662aee7d8c0
SHA1c968452bfa4ae792c14b12522f0dd8347a36bf83
SHA25696298cc3bc32028086a0ffe02d879c1c4f6cec16f78478934d3e126f72d8e256
SHA512cedbc2f13a25d9e1a440c6cb9c8d076bcba912dce79cedde54c3dec8a92841717b38818f267bdff43890918ec6d5d380eda157b4173ac488ce8e01ed8247984a
-
memory/428-148-0x0000000000000000-mapping.dmp
-
memory/792-162-0x0000000000000000-mapping.dmp
-
memory/856-160-0x0000000000000000-mapping.dmp
-
memory/1380-134-0x0000000000000000-mapping.dmp
-
memory/1648-145-0x0000000000000000-mapping.dmp
-
memory/1732-157-0x0000000000000000-mapping.dmp
-
memory/1788-168-0x0000000000000000-mapping.dmp
-
memory/1944-164-0x0000000000000000-mapping.dmp
-
memory/1976-147-0x0000000000000000-mapping.dmp
-
memory/1988-137-0x0000000000000000-mapping.dmp
-
memory/2036-144-0x0000000000000000-mapping.dmp
-
memory/2228-156-0x0000000000000000-mapping.dmp
-
memory/2252-149-0x0000000000000000-mapping.dmp
-
memory/2296-143-0x0000000000000000-mapping.dmp
-
memory/2504-140-0x0000000000000000-mapping.dmp
-
memory/2512-153-0x0000000000000000-mapping.dmp
-
memory/2692-161-0x0000000000000000-mapping.dmp
-
memory/2824-142-0x0000000000000000-mapping.dmp
-
memory/2960-159-0x0000000000000000-mapping.dmp
-
memory/3176-138-0x0000000000000000-mapping.dmp
-
memory/3212-151-0x0000000000000000-mapping.dmp
-
memory/3440-163-0x0000000000000000-mapping.dmp
-
memory/3552-167-0x0000000000000000-mapping.dmp
-
memory/3596-150-0x0000000000000000-mapping.dmp
-
memory/3980-152-0x0000000000000000-mapping.dmp
-
memory/4044-165-0x0000000000000000-mapping.dmp
-
memory/4056-139-0x0000000000000000-mapping.dmp
-
memory/4296-154-0x0000000000000000-mapping.dmp
-
memory/4304-166-0x0000000000000000-mapping.dmp
-
memory/4308-158-0x0000000000000000-mapping.dmp
-
memory/4624-146-0x0000000000000000-mapping.dmp
-
memory/4700-141-0x0000000000000000-mapping.dmp
-
memory/4744-155-0x0000000000000000-mapping.dmp
-
memory/4756-136-0x0000000000000000-mapping.dmp