Analysis
-
max time kernel
70s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
30-10-2022 17:52
Static task
static1
Behavioral task
behavioral1
Sample
c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe
Resource
win7-20220812-en
General
-
Target
c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe
-
Size
72KB
-
MD5
81a13f9d7efa8f86332cb8f897df2a46
-
SHA1
d0f11013eca20c750ae74456ed17fb2b010c5e23
-
SHA256
c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf
-
SHA512
189cc022b5bbd0548f2d76790ed7460c33b84a6806ca37609a4a38372a7dc9ade677ec1b154a90d64988e0e8176180310fe24f707fb3a79924be99ecbcfb822d
-
SSDEEP
768:7h8akJlX0iPhUUqMtGUcwNttsvWTd9DO13rqMDs08PmXFwXxuFyQ/b11HzoN8Otx:7uaEvhUUFC3elPUCuFy+11cNXt47cL
Malware Config
Signatures
-
Possible privilege escalation attempt 34 IoCs
Processes:
icacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exepid process 3364 icacls.exe 4300 icacls.exe 1280 takeown.exe 3124 icacls.exe 3616 icacls.exe 1628 takeown.exe 2832 icacls.exe 1236 takeown.exe 2768 takeown.exe 1040 takeown.exe 1900 icacls.exe 2208 takeown.exe 2060 takeown.exe 3904 takeown.exe 1668 takeown.exe 228 takeown.exe 5012 icacls.exe 3316 icacls.exe 1476 icacls.exe 2420 takeown.exe 332 icacls.exe 1328 icacls.exe 3516 icacls.exe 4676 takeown.exe 2160 takeown.exe 1004 icacls.exe 4872 icacls.exe 1700 takeown.exe 4288 icacls.exe 3432 icacls.exe 4028 takeown.exe 4568 takeown.exe 1736 takeown.exe 3584 icacls.exe -
Modifies file permissions 1 TTPs 34 IoCs
Processes:
icacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exepid process 3432 icacls.exe 3364 icacls.exe 4872 icacls.exe 2060 takeown.exe 3584 icacls.exe 4300 icacls.exe 3316 icacls.exe 1700 takeown.exe 2160 takeown.exe 3904 takeown.exe 1004 icacls.exe 1236 takeown.exe 4288 icacls.exe 4568 takeown.exe 228 takeown.exe 2832 icacls.exe 2420 takeown.exe 1668 takeown.exe 2768 takeown.exe 1900 icacls.exe 2208 takeown.exe 1628 takeown.exe 1736 takeown.exe 332 icacls.exe 3516 icacls.exe 4028 takeown.exe 1280 takeown.exe 1040 takeown.exe 3124 icacls.exe 1328 icacls.exe 3616 icacls.exe 5012 icacls.exe 4676 takeown.exe 1476 icacls.exe -
Drops file in System32 directory 6 IoCs
Processes:
c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exedescription ioc process File created C:\Windows\SysWOW64\ngfs.exe c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe File opened for modification C:\Windows\SysWOW64\ngfs.exe c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe File opened for modification C:\Windows\SysWOW64\cmd.exe c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe File opened for modification C:\Windows\SysWOW64\ftp.exe c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe File opened for modification C:\Windows\SysWOW64\wscript.exe c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe File opened for modification C:\Windows\SysWOW64\cscript.exe c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 2060 takeown.exe Token: SeTakeOwnershipPrivilege 3904 takeown.exe Token: SeTakeOwnershipPrivilege 1736 takeown.exe Token: SeTakeOwnershipPrivilege 1236 takeown.exe Token: SeTakeOwnershipPrivilege 4676 takeown.exe Token: SeTakeOwnershipPrivilege 2420 takeown.exe Token: SeTakeOwnershipPrivilege 4028 takeown.exe Token: SeTakeOwnershipPrivilege 1668 takeown.exe Token: SeTakeOwnershipPrivilege 1280 takeown.exe Token: SeTakeOwnershipPrivilege 1700 takeown.exe Token: SeTakeOwnershipPrivilege 2768 takeown.exe Token: SeTakeOwnershipPrivilege 1040 takeown.exe Token: SeTakeOwnershipPrivilege 4568 takeown.exe Token: SeTakeOwnershipPrivilege 228 takeown.exe Token: SeTakeOwnershipPrivilege 2160 takeown.exe Token: SeTakeOwnershipPrivilege 2208 takeown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exepid process 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exedescription pid process target process PID 2012 wrote to memory of 1628 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe takeown.exe PID 2012 wrote to memory of 1628 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe takeown.exe PID 2012 wrote to memory of 1628 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe takeown.exe PID 2012 wrote to memory of 5012 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe icacls.exe PID 2012 wrote to memory of 5012 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe icacls.exe PID 2012 wrote to memory of 5012 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe icacls.exe PID 2012 wrote to memory of 2060 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe takeown.exe PID 2012 wrote to memory of 2060 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe takeown.exe PID 2012 wrote to memory of 2060 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe takeown.exe PID 2012 wrote to memory of 2832 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe icacls.exe PID 2012 wrote to memory of 2832 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe icacls.exe PID 2012 wrote to memory of 2832 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe icacls.exe PID 2012 wrote to memory of 3904 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe takeown.exe PID 2012 wrote to memory of 3904 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe takeown.exe PID 2012 wrote to memory of 3904 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe takeown.exe PID 2012 wrote to memory of 1004 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe icacls.exe PID 2012 wrote to memory of 1004 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe icacls.exe PID 2012 wrote to memory of 1004 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe icacls.exe PID 2012 wrote to memory of 1736 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe takeown.exe PID 2012 wrote to memory of 1736 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe takeown.exe PID 2012 wrote to memory of 1736 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe takeown.exe PID 2012 wrote to memory of 3516 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe icacls.exe PID 2012 wrote to memory of 3516 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe icacls.exe PID 2012 wrote to memory of 3516 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe icacls.exe PID 2012 wrote to memory of 1236 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe takeown.exe PID 2012 wrote to memory of 1236 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe takeown.exe PID 2012 wrote to memory of 1236 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe takeown.exe PID 2012 wrote to memory of 3316 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe icacls.exe PID 2012 wrote to memory of 3316 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe icacls.exe PID 2012 wrote to memory of 3316 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe icacls.exe PID 2012 wrote to memory of 4676 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe takeown.exe PID 2012 wrote to memory of 4676 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe takeown.exe PID 2012 wrote to memory of 4676 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe takeown.exe PID 2012 wrote to memory of 1476 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe icacls.exe PID 2012 wrote to memory of 1476 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe icacls.exe PID 2012 wrote to memory of 1476 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe icacls.exe PID 2012 wrote to memory of 2420 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe takeown.exe PID 2012 wrote to memory of 2420 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe takeown.exe PID 2012 wrote to memory of 2420 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe takeown.exe PID 2012 wrote to memory of 3584 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe icacls.exe PID 2012 wrote to memory of 3584 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe icacls.exe PID 2012 wrote to memory of 3584 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe icacls.exe PID 2012 wrote to memory of 4028 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe takeown.exe PID 2012 wrote to memory of 4028 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe takeown.exe PID 2012 wrote to memory of 4028 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe takeown.exe PID 2012 wrote to memory of 4300 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe icacls.exe PID 2012 wrote to memory of 4300 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe icacls.exe PID 2012 wrote to memory of 4300 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe icacls.exe PID 2012 wrote to memory of 1668 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe takeown.exe PID 2012 wrote to memory of 1668 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe takeown.exe PID 2012 wrote to memory of 1668 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe takeown.exe PID 2012 wrote to memory of 4288 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe icacls.exe PID 2012 wrote to memory of 4288 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe icacls.exe PID 2012 wrote to memory of 4288 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe icacls.exe PID 2012 wrote to memory of 1280 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe takeown.exe PID 2012 wrote to memory of 1280 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe takeown.exe PID 2012 wrote to memory of 1280 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe takeown.exe PID 2012 wrote to memory of 3432 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe icacls.exe PID 2012 wrote to memory of 3432 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe icacls.exe PID 2012 wrote to memory of 3432 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe icacls.exe PID 2012 wrote to memory of 1700 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe takeown.exe PID 2012 wrote to memory of 1700 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe takeown.exe PID 2012 wrote to memory of 1700 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe takeown.exe PID 2012 wrote to memory of 3364 2012 c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe"C:\Users\Admin\AppData\Local\Temp\c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "C:\Windows\system32\ngfs.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\system32\ngfs.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\ngfs.exeFilesize
72KB
MD581a13f9d7efa8f86332cb8f897df2a46
SHA1d0f11013eca20c750ae74456ed17fb2b010c5e23
SHA256c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf
SHA512189cc022b5bbd0548f2d76790ed7460c33b84a6806ca37609a4a38372a7dc9ade677ec1b154a90d64988e0e8176180310fe24f707fb3a79924be99ecbcfb822d
-
memory/228-163-0x0000000000000000-mapping.dmp
-
memory/332-164-0x0000000000000000-mapping.dmp
-
memory/1004-140-0x0000000000000000-mapping.dmp
-
memory/1040-159-0x0000000000000000-mapping.dmp
-
memory/1236-143-0x0000000000000000-mapping.dmp
-
memory/1280-153-0x0000000000000000-mapping.dmp
-
memory/1328-166-0x0000000000000000-mapping.dmp
-
memory/1476-146-0x0000000000000000-mapping.dmp
-
memory/1628-134-0x0000000000000000-mapping.dmp
-
memory/1668-151-0x0000000000000000-mapping.dmp
-
memory/1700-155-0x0000000000000000-mapping.dmp
-
memory/1736-141-0x0000000000000000-mapping.dmp
-
memory/1900-160-0x0000000000000000-mapping.dmp
-
memory/2060-137-0x0000000000000000-mapping.dmp
-
memory/2160-165-0x0000000000000000-mapping.dmp
-
memory/2208-167-0x0000000000000000-mapping.dmp
-
memory/2420-147-0x0000000000000000-mapping.dmp
-
memory/2768-157-0x0000000000000000-mapping.dmp
-
memory/2832-138-0x0000000000000000-mapping.dmp
-
memory/3124-162-0x0000000000000000-mapping.dmp
-
memory/3316-144-0x0000000000000000-mapping.dmp
-
memory/3364-156-0x0000000000000000-mapping.dmp
-
memory/3432-154-0x0000000000000000-mapping.dmp
-
memory/3516-142-0x0000000000000000-mapping.dmp
-
memory/3584-148-0x0000000000000000-mapping.dmp
-
memory/3616-168-0x0000000000000000-mapping.dmp
-
memory/3904-139-0x0000000000000000-mapping.dmp
-
memory/4028-149-0x0000000000000000-mapping.dmp
-
memory/4288-152-0x0000000000000000-mapping.dmp
-
memory/4300-150-0x0000000000000000-mapping.dmp
-
memory/4568-161-0x0000000000000000-mapping.dmp
-
memory/4676-145-0x0000000000000000-mapping.dmp
-
memory/4872-158-0x0000000000000000-mapping.dmp
-
memory/5012-136-0x0000000000000000-mapping.dmp