Analysis
-
max time kernel
132s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06-11-2022 23:48
Static task
static1
Behavioral task
behavioral1
Sample
513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe
Resource
win7-20220812-en
General
-
Target
513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe
-
Size
68KB
-
MD5
07f781b7f328b7fbe798c6535c2be631
-
SHA1
dbd59d57a2af6b7e16ac3c599ff35870583ff641
-
SHA256
513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589
-
SHA512
b35d7b13275e46fbad29e0344d5e9f9c47fc320541e34f864909c257ec7904549b603adc67ad78716575104f6f767961a421c179b72bacb93b9b10608bc3701d
-
SSDEEP
768:gZICV1mYUjoFag/dOTyqC83SMzjGzBccOBb66DeUpmDo3/hmKNvUd0A+oTnXL:gZz1qC8rjGucOBO6tYEPqK/ozL
Malware Config
Signatures
-
Possible privilege escalation attempt 34 IoCs
Processes:
takeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exepid process 3256 takeown.exe 1640 icacls.exe 3304 icacls.exe 2584 icacls.exe 5088 takeown.exe 4896 icacls.exe 2124 takeown.exe 4160 takeown.exe 416 takeown.exe 4004 icacls.exe 3872 takeown.exe 3524 takeown.exe 4788 icacls.exe 2792 takeown.exe 4244 icacls.exe 3952 icacls.exe 1692 takeown.exe 4624 icacls.exe 4660 icacls.exe 3504 takeown.exe 3828 takeown.exe 2252 takeown.exe 1808 icacls.exe 4116 takeown.exe 4084 icacls.exe 4496 takeown.exe 1020 takeown.exe 4560 icacls.exe 3264 icacls.exe 4180 takeown.exe 1132 takeown.exe 2464 icacls.exe 1824 icacls.exe 4648 icacls.exe -
Modifies file permissions 1 TTPs 34 IoCs
Processes:
takeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exepid process 4496 takeown.exe 3264 icacls.exe 2584 icacls.exe 1692 takeown.exe 4624 icacls.exe 1824 icacls.exe 4648 icacls.exe 3256 takeown.exe 2124 takeown.exe 4004 icacls.exe 3504 takeown.exe 3828 takeown.exe 4084 icacls.exe 4788 icacls.exe 2464 icacls.exe 2252 takeown.exe 3524 takeown.exe 1640 icacls.exe 1020 takeown.exe 3304 icacls.exe 5088 takeown.exe 2792 takeown.exe 4896 icacls.exe 4244 icacls.exe 4660 icacls.exe 3872 takeown.exe 4560 icacls.exe 4180 takeown.exe 3952 icacls.exe 4116 takeown.exe 4160 takeown.exe 416 takeown.exe 1132 takeown.exe 1808 icacls.exe -
Drops file in System32 directory 6 IoCs
Processes:
513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exedescription ioc process File opened for modification C:\Windows\SysWOW64\wscript.exe 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe File opened for modification C:\Windows\SysWOW64\cscript.exe 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe File created C:\Windows\SysWOW64\bdnos.exe 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe File opened for modification C:\Windows\SysWOW64\bdnos.exe 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe File opened for modification C:\Windows\SysWOW64\cmd.exe 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe File opened for modification C:\Windows\SysWOW64\ftp.exe 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 3524 takeown.exe Token: SeTakeOwnershipPrivilege 3828 takeown.exe Token: SeTakeOwnershipPrivilege 4180 takeown.exe Token: SeTakeOwnershipPrivilege 1132 takeown.exe Token: SeTakeOwnershipPrivilege 3256 takeown.exe Token: SeTakeOwnershipPrivilege 4116 takeown.exe Token: SeTakeOwnershipPrivilege 2124 takeown.exe Token: SeTakeOwnershipPrivilege 4160 takeown.exe Token: SeTakeOwnershipPrivilege 5088 takeown.exe Token: SeTakeOwnershipPrivilege 1020 takeown.exe Token: SeTakeOwnershipPrivilege 1692 takeown.exe Token: SeTakeOwnershipPrivilege 2252 takeown.exe Token: SeTakeOwnershipPrivilege 416 takeown.exe Token: SeTakeOwnershipPrivilege 3872 takeown.exe Token: SeTakeOwnershipPrivilege 3504 takeown.exe Token: SeTakeOwnershipPrivilege 2792 takeown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exepid process 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exedescription pid process target process PID 2168 wrote to memory of 4496 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe takeown.exe PID 2168 wrote to memory of 4496 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe takeown.exe PID 2168 wrote to memory of 4496 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe takeown.exe PID 2168 wrote to memory of 4896 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe icacls.exe PID 2168 wrote to memory of 4896 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe icacls.exe PID 2168 wrote to memory of 4896 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe icacls.exe PID 2168 wrote to memory of 3524 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe takeown.exe PID 2168 wrote to memory of 3524 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe takeown.exe PID 2168 wrote to memory of 3524 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe takeown.exe PID 2168 wrote to memory of 4648 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe icacls.exe PID 2168 wrote to memory of 4648 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe icacls.exe PID 2168 wrote to memory of 4648 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe icacls.exe PID 2168 wrote to memory of 3828 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe takeown.exe PID 2168 wrote to memory of 3828 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe takeown.exe PID 2168 wrote to memory of 3828 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe takeown.exe PID 2168 wrote to memory of 3264 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe icacls.exe PID 2168 wrote to memory of 3264 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe icacls.exe PID 2168 wrote to memory of 3264 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe icacls.exe PID 2168 wrote to memory of 4180 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe takeown.exe PID 2168 wrote to memory of 4180 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe takeown.exe PID 2168 wrote to memory of 4180 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe takeown.exe PID 2168 wrote to memory of 4244 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe icacls.exe PID 2168 wrote to memory of 4244 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe icacls.exe PID 2168 wrote to memory of 4244 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe icacls.exe PID 2168 wrote to memory of 1132 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe takeown.exe PID 2168 wrote to memory of 1132 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe takeown.exe PID 2168 wrote to memory of 1132 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe takeown.exe PID 2168 wrote to memory of 3952 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe icacls.exe PID 2168 wrote to memory of 3952 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe icacls.exe PID 2168 wrote to memory of 3952 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe icacls.exe PID 2168 wrote to memory of 3256 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe takeown.exe PID 2168 wrote to memory of 3256 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe takeown.exe PID 2168 wrote to memory of 3256 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe takeown.exe PID 2168 wrote to memory of 1640 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe icacls.exe PID 2168 wrote to memory of 1640 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe icacls.exe PID 2168 wrote to memory of 1640 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe icacls.exe PID 2168 wrote to memory of 4116 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe takeown.exe PID 2168 wrote to memory of 4116 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe takeown.exe PID 2168 wrote to memory of 4116 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe takeown.exe PID 2168 wrote to memory of 1808 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe icacls.exe PID 2168 wrote to memory of 1808 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe icacls.exe PID 2168 wrote to memory of 1808 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe icacls.exe PID 2168 wrote to memory of 2124 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe takeown.exe PID 2168 wrote to memory of 2124 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe takeown.exe PID 2168 wrote to memory of 2124 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe takeown.exe PID 2168 wrote to memory of 3304 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe icacls.exe PID 2168 wrote to memory of 3304 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe icacls.exe PID 2168 wrote to memory of 3304 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe icacls.exe PID 2168 wrote to memory of 4160 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe takeown.exe PID 2168 wrote to memory of 4160 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe takeown.exe PID 2168 wrote to memory of 4160 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe takeown.exe PID 2168 wrote to memory of 2584 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe icacls.exe PID 2168 wrote to memory of 2584 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe icacls.exe PID 2168 wrote to memory of 2584 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe icacls.exe PID 2168 wrote to memory of 5088 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe takeown.exe PID 2168 wrote to memory of 5088 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe takeown.exe PID 2168 wrote to memory of 5088 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe takeown.exe PID 2168 wrote to memory of 4084 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe icacls.exe PID 2168 wrote to memory of 4084 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe icacls.exe PID 2168 wrote to memory of 4084 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe icacls.exe PID 2168 wrote to memory of 1020 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe takeown.exe PID 2168 wrote to memory of 1020 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe takeown.exe PID 2168 wrote to memory of 1020 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe takeown.exe PID 2168 wrote to memory of 4788 2168 513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe"C:\Users\Admin\AppData\Local\Temp\513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "C:\Windows\system32\bdnos.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\system32\bdnos.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\bdnos.exeFilesize
68KB
MD507f781b7f328b7fbe798c6535c2be631
SHA1dbd59d57a2af6b7e16ac3c599ff35870583ff641
SHA256513808703a00e0b38fc1ef602ba886376df73382ba3d55f4a5833deac0a47589
SHA512b35d7b13275e46fbad29e0344d5e9f9c47fc320541e34f864909c257ec7904549b603adc67ad78716575104f6f767961a421c179b72bacb93b9b10608bc3701d
-
memory/416-161-0x0000000000000000-mapping.dmp
-
memory/1020-155-0x0000000000000000-mapping.dmp
-
memory/1132-143-0x0000000000000000-mapping.dmp
-
memory/1640-146-0x0000000000000000-mapping.dmp
-
memory/1692-157-0x0000000000000000-mapping.dmp
-
memory/1808-148-0x0000000000000000-mapping.dmp
-
memory/1824-168-0x0000000000000000-mapping.dmp
-
memory/2124-149-0x0000000000000000-mapping.dmp
-
memory/2252-159-0x0000000000000000-mapping.dmp
-
memory/2464-158-0x0000000000000000-mapping.dmp
-
memory/2584-152-0x0000000000000000-mapping.dmp
-
memory/2792-167-0x0000000000000000-mapping.dmp
-
memory/3256-145-0x0000000000000000-mapping.dmp
-
memory/3264-140-0x0000000000000000-mapping.dmp
-
memory/3304-150-0x0000000000000000-mapping.dmp
-
memory/3504-165-0x0000000000000000-mapping.dmp
-
memory/3524-137-0x0000000000000000-mapping.dmp
-
memory/3828-139-0x0000000000000000-mapping.dmp
-
memory/3872-163-0x0000000000000000-mapping.dmp
-
memory/3952-144-0x0000000000000000-mapping.dmp
-
memory/4004-162-0x0000000000000000-mapping.dmp
-
memory/4084-154-0x0000000000000000-mapping.dmp
-
memory/4116-147-0x0000000000000000-mapping.dmp
-
memory/4160-151-0x0000000000000000-mapping.dmp
-
memory/4180-141-0x0000000000000000-mapping.dmp
-
memory/4244-142-0x0000000000000000-mapping.dmp
-
memory/4496-134-0x0000000000000000-mapping.dmp
-
memory/4560-166-0x0000000000000000-mapping.dmp
-
memory/4624-160-0x0000000000000000-mapping.dmp
-
memory/4648-138-0x0000000000000000-mapping.dmp
-
memory/4660-164-0x0000000000000000-mapping.dmp
-
memory/4788-156-0x0000000000000000-mapping.dmp
-
memory/4896-136-0x0000000000000000-mapping.dmp
-
memory/5088-153-0x0000000000000000-mapping.dmp