Analysis
-
max time kernel
151s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06-11-2022 23:42
Static task
static1
Behavioral task
behavioral1
Sample
738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe
Resource
win7-20220812-en
General
-
Target
738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe
-
Size
72KB
-
MD5
0523877c4a35b31b83ed89f02709f550
-
SHA1
203e66c8236287fa259d82806ef18f217efedc02
-
SHA256
738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec
-
SHA512
d2d380bca2fd249a8e50e2cba20419b78a65607325c7259671fa4bcdb68817bd3d6c9a7e0169bb72ebd02a47fdf0d37747ac3307bdcdf1a2abbe6b30419c8654
-
SSDEEP
1536:8KIXt6+UbOK/X51l6A2OG3rO23VIU/YuuVSQ3cAH:htbOgb2J3a23VIU/YuK3V
Malware Config
Signatures
-
Possible privilege escalation attempt 34 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exepid process 4180 takeown.exe 5024 icacls.exe 4756 takeown.exe 4320 icacls.exe 5060 icacls.exe 4080 icacls.exe 4904 takeown.exe 4524 icacls.exe 4960 icacls.exe 5068 icacls.exe 3308 icacls.exe 4568 icacls.exe 2524 takeown.exe 3096 icacls.exe 3988 icacls.exe 4436 takeown.exe 1004 takeown.exe 4336 icacls.exe 3148 icacls.exe 3052 takeown.exe 5076 takeown.exe 1656 takeown.exe 3800 icacls.exe 3916 takeown.exe 1992 icacls.exe 2804 takeown.exe 1604 takeown.exe 5020 takeown.exe 4940 icacls.exe 992 takeown.exe 804 takeown.exe 4060 icacls.exe 4788 takeown.exe 828 takeown.exe -
Modifies file permissions 1 TTPs 34 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exepid process 4904 takeown.exe 804 takeown.exe 828 takeown.exe 992 takeown.exe 1004 takeown.exe 3988 icacls.exe 4180 takeown.exe 3800 icacls.exe 5020 takeown.exe 3148 icacls.exe 5068 icacls.exe 5076 takeown.exe 1656 takeown.exe 4524 icacls.exe 5024 icacls.exe 4788 takeown.exe 3096 icacls.exe 3916 takeown.exe 4960 icacls.exe 4060 icacls.exe 3052 takeown.exe 3308 icacls.exe 1604 takeown.exe 4320 icacls.exe 5060 icacls.exe 4568 icacls.exe 2524 takeown.exe 2804 takeown.exe 4940 icacls.exe 4336 icacls.exe 4080 icacls.exe 4436 takeown.exe 1992 icacls.exe 4756 takeown.exe -
Drops file in System32 directory 6 IoCs
Processes:
738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exedescription ioc process File created C:\Windows\SysWOW64\jfjs.exe 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe File opened for modification C:\Windows\SysWOW64\jfjs.exe 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe File opened for modification C:\Windows\SysWOW64\cmd.exe 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe File opened for modification C:\Windows\SysWOW64\ftp.exe 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe File opened for modification C:\Windows\SysWOW64\wscript.exe 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe File opened for modification C:\Windows\SysWOW64\cscript.exe 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 4904 takeown.exe Token: SeTakeOwnershipPrivilege 804 takeown.exe Token: SeTakeOwnershipPrivilege 4436 takeown.exe Token: SeTakeOwnershipPrivilege 3916 takeown.exe Token: SeTakeOwnershipPrivilege 2524 takeown.exe Token: SeTakeOwnershipPrivilege 1604 takeown.exe Token: SeTakeOwnershipPrivilege 5020 takeown.exe Token: SeTakeOwnershipPrivilege 1004 takeown.exe Token: SeTakeOwnershipPrivilege 4756 takeown.exe Token: SeTakeOwnershipPrivilege 4788 takeown.exe Token: SeTakeOwnershipPrivilege 828 takeown.exe Token: SeTakeOwnershipPrivilege 3052 takeown.exe Token: SeTakeOwnershipPrivilege 2804 takeown.exe Token: SeTakeOwnershipPrivilege 992 takeown.exe Token: SeTakeOwnershipPrivilege 5076 takeown.exe Token: SeTakeOwnershipPrivilege 1656 takeown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exepid process 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exedescription pid process target process PID 704 wrote to memory of 4180 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe takeown.exe PID 704 wrote to memory of 4180 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe takeown.exe PID 704 wrote to memory of 4180 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe takeown.exe PID 704 wrote to memory of 4080 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe icacls.exe PID 704 wrote to memory of 4080 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe icacls.exe PID 704 wrote to memory of 4080 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe icacls.exe PID 704 wrote to memory of 4904 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe takeown.exe PID 704 wrote to memory of 4904 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe takeown.exe PID 704 wrote to memory of 4904 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe takeown.exe PID 704 wrote to memory of 4524 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe icacls.exe PID 704 wrote to memory of 4524 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe icacls.exe PID 704 wrote to memory of 4524 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe icacls.exe PID 704 wrote to memory of 804 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe takeown.exe PID 704 wrote to memory of 804 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe takeown.exe PID 704 wrote to memory of 804 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe takeown.exe PID 704 wrote to memory of 3800 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe icacls.exe PID 704 wrote to memory of 3800 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe icacls.exe PID 704 wrote to memory of 3800 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe icacls.exe PID 704 wrote to memory of 4436 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe takeown.exe PID 704 wrote to memory of 4436 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe takeown.exe PID 704 wrote to memory of 4436 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe takeown.exe PID 704 wrote to memory of 4960 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe icacls.exe PID 704 wrote to memory of 4960 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe icacls.exe PID 704 wrote to memory of 4960 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe icacls.exe PID 704 wrote to memory of 3916 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe takeown.exe PID 704 wrote to memory of 3916 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe takeown.exe PID 704 wrote to memory of 3916 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe takeown.exe PID 704 wrote to memory of 4568 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe icacls.exe PID 704 wrote to memory of 4568 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe icacls.exe PID 704 wrote to memory of 4568 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe icacls.exe PID 704 wrote to memory of 2524 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe takeown.exe PID 704 wrote to memory of 2524 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe takeown.exe PID 704 wrote to memory of 2524 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe takeown.exe PID 704 wrote to memory of 5024 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe icacls.exe PID 704 wrote to memory of 5024 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe icacls.exe PID 704 wrote to memory of 5024 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe icacls.exe PID 704 wrote to memory of 1604 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe takeown.exe PID 704 wrote to memory of 1604 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe takeown.exe PID 704 wrote to memory of 1604 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe takeown.exe PID 704 wrote to memory of 1992 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe icacls.exe PID 704 wrote to memory of 1992 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe icacls.exe PID 704 wrote to memory of 1992 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe icacls.exe PID 704 wrote to memory of 5020 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe takeown.exe PID 704 wrote to memory of 5020 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe takeown.exe PID 704 wrote to memory of 5020 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe takeown.exe PID 704 wrote to memory of 3148 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe icacls.exe PID 704 wrote to memory of 3148 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe icacls.exe PID 704 wrote to memory of 3148 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe icacls.exe PID 704 wrote to memory of 1004 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe takeown.exe PID 704 wrote to memory of 1004 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe takeown.exe PID 704 wrote to memory of 1004 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe takeown.exe PID 704 wrote to memory of 4060 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe icacls.exe PID 704 wrote to memory of 4060 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe icacls.exe PID 704 wrote to memory of 4060 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe icacls.exe PID 704 wrote to memory of 4756 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe takeown.exe PID 704 wrote to memory of 4756 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe takeown.exe PID 704 wrote to memory of 4756 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe takeown.exe PID 704 wrote to memory of 4940 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe icacls.exe PID 704 wrote to memory of 4940 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe icacls.exe PID 704 wrote to memory of 4940 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe icacls.exe PID 704 wrote to memory of 4788 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe takeown.exe PID 704 wrote to memory of 4788 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe takeown.exe PID 704 wrote to memory of 4788 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe takeown.exe PID 704 wrote to memory of 3096 704 738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe"C:\Users\Admin\AppData\Local\Temp\738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "C:\Windows\system32\jfjs.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4180 -
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\system32\jfjs.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4080 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4904 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4524 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:804 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3800 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4436 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4960 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3916 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4568 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2524 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5024 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1604 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1992 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5020 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3148 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1004 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4060 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4756 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4940 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4788 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3096 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:828 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4320 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3052 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5068 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2804 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4336 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:992 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3988 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5076 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3308 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1656 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5060
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\jfjs.exeFilesize
72KB
MD50523877c4a35b31b83ed89f02709f550
SHA1203e66c8236287fa259d82806ef18f217efedc02
SHA256738b8c86d83125e0c10d9b9a8ab36e46bff21735d507de043eeb7cd0fab924ec
SHA512d2d380bca2fd249a8e50e2cba20419b78a65607325c7259671fa4bcdb68817bd3d6c9a7e0169bb72ebd02a47fdf0d37747ac3307bdcdf1a2abbe6b30419c8654
-
memory/804-139-0x0000000000000000-mapping.dmp
-
memory/828-157-0x0000000000000000-mapping.dmp
-
memory/992-163-0x0000000000000000-mapping.dmp
-
memory/1004-151-0x0000000000000000-mapping.dmp
-
memory/1604-147-0x0000000000000000-mapping.dmp
-
memory/1656-167-0x0000000000000000-mapping.dmp
-
memory/1992-148-0x0000000000000000-mapping.dmp
-
memory/2524-145-0x0000000000000000-mapping.dmp
-
memory/2804-161-0x0000000000000000-mapping.dmp
-
memory/3052-159-0x0000000000000000-mapping.dmp
-
memory/3096-156-0x0000000000000000-mapping.dmp
-
memory/3148-150-0x0000000000000000-mapping.dmp
-
memory/3308-166-0x0000000000000000-mapping.dmp
-
memory/3800-140-0x0000000000000000-mapping.dmp
-
memory/3916-143-0x0000000000000000-mapping.dmp
-
memory/3988-164-0x0000000000000000-mapping.dmp
-
memory/4060-152-0x0000000000000000-mapping.dmp
-
memory/4080-136-0x0000000000000000-mapping.dmp
-
memory/4180-134-0x0000000000000000-mapping.dmp
-
memory/4320-158-0x0000000000000000-mapping.dmp
-
memory/4336-162-0x0000000000000000-mapping.dmp
-
memory/4436-141-0x0000000000000000-mapping.dmp
-
memory/4524-138-0x0000000000000000-mapping.dmp
-
memory/4568-144-0x0000000000000000-mapping.dmp
-
memory/4756-153-0x0000000000000000-mapping.dmp
-
memory/4788-155-0x0000000000000000-mapping.dmp
-
memory/4904-137-0x0000000000000000-mapping.dmp
-
memory/4940-154-0x0000000000000000-mapping.dmp
-
memory/4960-142-0x0000000000000000-mapping.dmp
-
memory/5020-149-0x0000000000000000-mapping.dmp
-
memory/5024-146-0x0000000000000000-mapping.dmp
-
memory/5060-168-0x0000000000000000-mapping.dmp
-
memory/5068-160-0x0000000000000000-mapping.dmp
-
memory/5076-165-0x0000000000000000-mapping.dmp