Analysis
-
max time kernel
123s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2022 05:59
Static task
static1
Behavioral task
behavioral1
Sample
02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe
Resource
win7-20220812-en
General
-
Target
02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe
-
Size
72KB
-
MD5
52546e1127487e7974fd844aa5bd03f6
-
SHA1
b042d031ca45dc4ec791127a0ffd9d1e8df7e709
-
SHA256
02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48
-
SHA512
448512f62770ae677e0bb8c1d78299648d76a069417f806d5e27531cdd1b8391b2d3152f0b886f590fc2edaf465eec1ea3b66c260302e9dc279cde8fab6e337a
-
SSDEEP
768:lZ3ekAd0mgBUJ0JtXxvoCjtpIh0xoXj8KIQBHkfOJRdLd5nOggSjyiPFu0/vHNML:lidhehRjwXjMW0aI3mxnkXtPe+qYQO
Malware Config
Signatures
-
Possible privilege escalation attempt 34 IoCs
Processes:
icacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exepid process 864 icacls.exe 4200 takeown.exe 212 takeown.exe 5076 icacls.exe 2988 takeown.exe 3776 takeown.exe 4144 icacls.exe 1780 icacls.exe 752 icacls.exe 764 takeown.exe 3472 icacls.exe 2040 icacls.exe 1276 takeown.exe 3452 takeown.exe 4428 icacls.exe 4352 takeown.exe 2344 icacls.exe 2340 icacls.exe 5024 takeown.exe 1380 takeown.exe 5044 icacls.exe 1752 icacls.exe 4864 icacls.exe 2272 takeown.exe 1936 takeown.exe 4444 icacls.exe 4756 takeown.exe 5104 takeown.exe 4864 takeown.exe 1148 takeown.exe 4396 takeown.exe 2248 icacls.exe 4876 icacls.exe 2280 icacls.exe -
Modifies file permissions 1 TTPs 34 IoCs
Processes:
takeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 1936 takeown.exe 1780 icacls.exe 4756 takeown.exe 5104 takeown.exe 4864 takeown.exe 3776 takeown.exe 2272 takeown.exe 5044 icacls.exe 3452 takeown.exe 4396 takeown.exe 1380 takeown.exe 4200 takeown.exe 3472 icacls.exe 2988 takeown.exe 2248 icacls.exe 752 icacls.exe 764 takeown.exe 5076 icacls.exe 4876 icacls.exe 2344 icacls.exe 864 icacls.exe 4428 icacls.exe 4352 takeown.exe 1276 takeown.exe 5024 takeown.exe 2280 icacls.exe 212 takeown.exe 4444 icacls.exe 4144 icacls.exe 1148 takeown.exe 1752 icacls.exe 2340 icacls.exe 4864 icacls.exe 2040 icacls.exe -
Drops file in System32 directory 6 IoCs
Processes:
02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exedescription ioc process File opened for modification C:\Windows\SysWOW64\cmd.exe 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe File opened for modification C:\Windows\SysWOW64\ftp.exe 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe File opened for modification C:\Windows\SysWOW64\wscript.exe 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe File opened for modification C:\Windows\SysWOW64\cscript.exe 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe File created C:\Windows\SysWOW64\crod.exe 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe File opened for modification C:\Windows\SysWOW64\crod.exe 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 764 takeown.exe Token: SeTakeOwnershipPrivilege 212 takeown.exe Token: SeTakeOwnershipPrivilege 3776 takeown.exe Token: SeTakeOwnershipPrivilege 1148 takeown.exe Token: SeTakeOwnershipPrivilege 4396 takeown.exe Token: SeTakeOwnershipPrivilege 2272 takeown.exe Token: SeTakeOwnershipPrivilege 2988 takeown.exe Token: SeTakeOwnershipPrivilege 1936 takeown.exe Token: SeTakeOwnershipPrivilege 4756 takeown.exe Token: SeTakeOwnershipPrivilege 5104 takeown.exe Token: SeTakeOwnershipPrivilege 1380 takeown.exe Token: SeTakeOwnershipPrivilege 4864 takeown.exe Token: SeTakeOwnershipPrivilege 3452 takeown.exe Token: SeTakeOwnershipPrivilege 4352 takeown.exe Token: SeTakeOwnershipPrivilege 1276 takeown.exe Token: SeTakeOwnershipPrivilege 4200 takeown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exepid process 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exedescription pid process target process PID 5072 wrote to memory of 5024 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe takeown.exe PID 5072 wrote to memory of 5024 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe takeown.exe PID 5072 wrote to memory of 5024 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe takeown.exe PID 5072 wrote to memory of 4864 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe icacls.exe PID 5072 wrote to memory of 4864 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe icacls.exe PID 5072 wrote to memory of 4864 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe icacls.exe PID 5072 wrote to memory of 764 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe takeown.exe PID 5072 wrote to memory of 764 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe takeown.exe PID 5072 wrote to memory of 764 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe takeown.exe PID 5072 wrote to memory of 3472 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe icacls.exe PID 5072 wrote to memory of 3472 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe icacls.exe PID 5072 wrote to memory of 3472 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe icacls.exe PID 5072 wrote to memory of 212 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe takeown.exe PID 5072 wrote to memory of 212 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe takeown.exe PID 5072 wrote to memory of 212 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe takeown.exe PID 5072 wrote to memory of 2040 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe icacls.exe PID 5072 wrote to memory of 2040 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe icacls.exe PID 5072 wrote to memory of 2040 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe icacls.exe PID 5072 wrote to memory of 3776 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe takeown.exe PID 5072 wrote to memory of 3776 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe takeown.exe PID 5072 wrote to memory of 3776 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe takeown.exe PID 5072 wrote to memory of 4144 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe icacls.exe PID 5072 wrote to memory of 4144 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe icacls.exe PID 5072 wrote to memory of 4144 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe icacls.exe PID 5072 wrote to memory of 1148 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe takeown.exe PID 5072 wrote to memory of 1148 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe takeown.exe PID 5072 wrote to memory of 1148 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe takeown.exe PID 5072 wrote to memory of 5076 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe icacls.exe PID 5072 wrote to memory of 5076 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe icacls.exe PID 5072 wrote to memory of 5076 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe icacls.exe PID 5072 wrote to memory of 4396 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe takeown.exe PID 5072 wrote to memory of 4396 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe takeown.exe PID 5072 wrote to memory of 4396 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe takeown.exe PID 5072 wrote to memory of 4876 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe icacls.exe PID 5072 wrote to memory of 4876 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe icacls.exe PID 5072 wrote to memory of 4876 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe icacls.exe PID 5072 wrote to memory of 2272 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe takeown.exe PID 5072 wrote to memory of 2272 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe takeown.exe PID 5072 wrote to memory of 2272 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe takeown.exe PID 5072 wrote to memory of 2248 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe icacls.exe PID 5072 wrote to memory of 2248 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe icacls.exe PID 5072 wrote to memory of 2248 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe icacls.exe PID 5072 wrote to memory of 2988 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe takeown.exe PID 5072 wrote to memory of 2988 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe takeown.exe PID 5072 wrote to memory of 2988 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe takeown.exe PID 5072 wrote to memory of 4444 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe icacls.exe PID 5072 wrote to memory of 4444 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe icacls.exe PID 5072 wrote to memory of 4444 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe icacls.exe PID 5072 wrote to memory of 1936 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe takeown.exe PID 5072 wrote to memory of 1936 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe takeown.exe PID 5072 wrote to memory of 1936 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe takeown.exe PID 5072 wrote to memory of 1780 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe icacls.exe PID 5072 wrote to memory of 1780 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe icacls.exe PID 5072 wrote to memory of 1780 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe icacls.exe PID 5072 wrote to memory of 4756 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe takeown.exe PID 5072 wrote to memory of 4756 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe takeown.exe PID 5072 wrote to memory of 4756 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe takeown.exe PID 5072 wrote to memory of 2280 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe icacls.exe PID 5072 wrote to memory of 2280 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe icacls.exe PID 5072 wrote to memory of 2280 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe icacls.exe PID 5072 wrote to memory of 5104 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe takeown.exe PID 5072 wrote to memory of 5104 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe takeown.exe PID 5072 wrote to memory of 5104 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe takeown.exe PID 5072 wrote to memory of 1752 5072 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe"C:\Users\Admin\AppData\Local\Temp\02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "C:\Windows\system32\crod.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\system32\crod.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\crod.exeFilesize
72KB
MD552546e1127487e7974fd844aa5bd03f6
SHA1b042d031ca45dc4ec791127a0ffd9d1e8df7e709
SHA25602fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48
SHA512448512f62770ae677e0bb8c1d78299648d76a069417f806d5e27531cdd1b8391b2d3152f0b886f590fc2edaf465eec1ea3b66c260302e9dc279cde8fab6e337a
-
memory/212-139-0x0000000000000000-mapping.dmp
-
memory/752-168-0x0000000000000000-mapping.dmp
-
memory/764-137-0x0000000000000000-mapping.dmp
-
memory/864-160-0x0000000000000000-mapping.dmp
-
memory/1148-143-0x0000000000000000-mapping.dmp
-
memory/1276-165-0x0000000000000000-mapping.dmp
-
memory/1380-157-0x0000000000000000-mapping.dmp
-
memory/1752-156-0x0000000000000000-mapping.dmp
-
memory/1780-152-0x0000000000000000-mapping.dmp
-
memory/1936-151-0x0000000000000000-mapping.dmp
-
memory/2040-140-0x0000000000000000-mapping.dmp
-
memory/2248-148-0x0000000000000000-mapping.dmp
-
memory/2272-147-0x0000000000000000-mapping.dmp
-
memory/2280-154-0x0000000000000000-mapping.dmp
-
memory/2340-166-0x0000000000000000-mapping.dmp
-
memory/2344-164-0x0000000000000000-mapping.dmp
-
memory/2988-149-0x0000000000000000-mapping.dmp
-
memory/3452-161-0x0000000000000000-mapping.dmp
-
memory/3472-138-0x0000000000000000-mapping.dmp
-
memory/3776-141-0x0000000000000000-mapping.dmp
-
memory/4144-142-0x0000000000000000-mapping.dmp
-
memory/4200-167-0x0000000000000000-mapping.dmp
-
memory/4352-163-0x0000000000000000-mapping.dmp
-
memory/4396-145-0x0000000000000000-mapping.dmp
-
memory/4428-162-0x0000000000000000-mapping.dmp
-
memory/4444-150-0x0000000000000000-mapping.dmp
-
memory/4756-153-0x0000000000000000-mapping.dmp
-
memory/4864-159-0x0000000000000000-mapping.dmp
-
memory/4864-136-0x0000000000000000-mapping.dmp
-
memory/4876-146-0x0000000000000000-mapping.dmp
-
memory/5024-134-0x0000000000000000-mapping.dmp
-
memory/5044-158-0x0000000000000000-mapping.dmp
-
memory/5076-144-0x0000000000000000-mapping.dmp
-
memory/5104-155-0x0000000000000000-mapping.dmp