Analysis
-
max time kernel
111s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
06-11-2022 08:14
Static task
static1
Behavioral task
behavioral1
Sample
88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe
Resource
win7-20220812-en
General
-
Target
88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe
-
Size
72KB
-
MD5
09ca2311b84a66711318fb4d2b05b8f6
-
SHA1
a82a0de4ca864ebf874a36becbac8df16d222d2f
-
SHA256
88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29
-
SHA512
8c796b44ae5938e2a4dee734fa607e0b49ff1ca61a29f7b76ea6294ae193e2464cffaefb845d69e00f87d0edd62f9944ed1e2d0280b22a80d5d506ff7a3141f1
-
SSDEEP
1536:+Uxl6Y7CJR5Dk4luQAqxkK+y0MWlK+/qItu/:++g7kSan9VIN/
Malware Config
Signatures
-
Possible privilege escalation attempt 34 IoCs
Processes:
takeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 3804 takeown.exe 1960 icacls.exe 2148 takeown.exe 3128 takeown.exe 2360 icacls.exe 2440 icacls.exe 4808 takeown.exe 4424 takeown.exe 4344 icacls.exe 4596 takeown.exe 3432 icacls.exe 3448 takeown.exe 1092 icacls.exe 1680 icacls.exe 3508 takeown.exe 4020 icacls.exe 3164 takeown.exe 1816 icacls.exe 4080 takeown.exe 1060 icacls.exe 4948 takeown.exe 1180 takeown.exe 2372 takeown.exe 1508 icacls.exe 4608 icacls.exe 1100 icacls.exe 3428 icacls.exe 4224 icacls.exe 4756 takeown.exe 1392 takeown.exe 2104 takeown.exe 3696 icacls.exe 1360 takeown.exe 3156 icacls.exe -
Modifies file permissions 1 TTPs 34 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exepid process 4948 takeown.exe 4344 icacls.exe 2372 takeown.exe 4608 icacls.exe 3156 icacls.exe 1392 takeown.exe 2360 icacls.exe 3432 icacls.exe 4080 takeown.exe 1092 icacls.exe 3128 takeown.exe 2104 takeown.exe 1680 icacls.exe 4424 takeown.exe 4224 icacls.exe 4596 takeown.exe 4756 takeown.exe 1060 icacls.exe 3428 icacls.exe 4020 icacls.exe 1180 takeown.exe 1360 takeown.exe 2148 takeown.exe 3508 takeown.exe 3164 takeown.exe 3696 icacls.exe 1508 icacls.exe 4808 takeown.exe 1816 icacls.exe 1100 icacls.exe 3804 takeown.exe 1960 icacls.exe 2440 icacls.exe 3448 takeown.exe -
Drops file in System32 directory 6 IoCs
Processes:
88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exedescription ioc process File opened for modification C:\Windows\SysWOW64\vitc.exe 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe File opened for modification C:\Windows\SysWOW64\cmd.exe 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe File opened for modification C:\Windows\SysWOW64\ftp.exe 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe File opened for modification C:\Windows\SysWOW64\wscript.exe 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe File opened for modification C:\Windows\SysWOW64\cscript.exe 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe File created C:\Windows\SysWOW64\vitc.exe 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 4808 takeown.exe Token: SeTakeOwnershipPrivilege 4080 takeown.exe Token: SeTakeOwnershipPrivilege 4756 takeown.exe Token: SeTakeOwnershipPrivilege 1392 takeown.exe Token: SeTakeOwnershipPrivilege 2148 takeown.exe Token: SeTakeOwnershipPrivilege 3448 takeown.exe Token: SeTakeOwnershipPrivilege 4948 takeown.exe Token: SeTakeOwnershipPrivilege 2104 takeown.exe Token: SeTakeOwnershipPrivilege 4424 takeown.exe Token: SeTakeOwnershipPrivilege 3128 takeown.exe Token: SeTakeOwnershipPrivilege 4596 takeown.exe Token: SeTakeOwnershipPrivilege 3508 takeown.exe Token: SeTakeOwnershipPrivilege 1180 takeown.exe Token: SeTakeOwnershipPrivilege 3164 takeown.exe Token: SeTakeOwnershipPrivilege 2372 takeown.exe Token: SeTakeOwnershipPrivilege 1360 takeown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exepid process 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exedescription pid process target process PID 4972 wrote to memory of 3804 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe takeown.exe PID 4972 wrote to memory of 3804 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe takeown.exe PID 4972 wrote to memory of 3804 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe takeown.exe PID 4972 wrote to memory of 4608 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe icacls.exe PID 4972 wrote to memory of 4608 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe icacls.exe PID 4972 wrote to memory of 4608 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe icacls.exe PID 4972 wrote to memory of 4808 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe takeown.exe PID 4972 wrote to memory of 4808 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe takeown.exe PID 4972 wrote to memory of 4808 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe takeown.exe PID 4972 wrote to memory of 1960 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe icacls.exe PID 4972 wrote to memory of 1960 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe icacls.exe PID 4972 wrote to memory of 1960 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe icacls.exe PID 4972 wrote to memory of 4080 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe takeown.exe PID 4972 wrote to memory of 4080 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe takeown.exe PID 4972 wrote to memory of 4080 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe takeown.exe PID 4972 wrote to memory of 3156 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe icacls.exe PID 4972 wrote to memory of 3156 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe icacls.exe PID 4972 wrote to memory of 3156 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe icacls.exe PID 4972 wrote to memory of 4756 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe takeown.exe PID 4972 wrote to memory of 4756 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe takeown.exe PID 4972 wrote to memory of 4756 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe takeown.exe PID 4972 wrote to memory of 1816 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe icacls.exe PID 4972 wrote to memory of 1816 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe icacls.exe PID 4972 wrote to memory of 1816 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe icacls.exe PID 4972 wrote to memory of 1392 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe takeown.exe PID 4972 wrote to memory of 1392 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe takeown.exe PID 4972 wrote to memory of 1392 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe takeown.exe PID 4972 wrote to memory of 1100 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe icacls.exe PID 4972 wrote to memory of 1100 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe icacls.exe PID 4972 wrote to memory of 1100 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe icacls.exe PID 4972 wrote to memory of 2148 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe takeown.exe PID 4972 wrote to memory of 2148 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe takeown.exe PID 4972 wrote to memory of 2148 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe takeown.exe PID 4972 wrote to memory of 1060 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe icacls.exe PID 4972 wrote to memory of 1060 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe icacls.exe PID 4972 wrote to memory of 1060 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe icacls.exe PID 4972 wrote to memory of 3448 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe takeown.exe PID 4972 wrote to memory of 3448 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe takeown.exe PID 4972 wrote to memory of 3448 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe takeown.exe PID 4972 wrote to memory of 1092 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe icacls.exe PID 4972 wrote to memory of 1092 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe icacls.exe PID 4972 wrote to memory of 1092 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe icacls.exe PID 4972 wrote to memory of 4948 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe takeown.exe PID 4972 wrote to memory of 4948 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe takeown.exe PID 4972 wrote to memory of 4948 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe takeown.exe PID 4972 wrote to memory of 3428 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe icacls.exe PID 4972 wrote to memory of 3428 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe icacls.exe PID 4972 wrote to memory of 3428 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe icacls.exe PID 4972 wrote to memory of 2104 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe takeown.exe PID 4972 wrote to memory of 2104 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe takeown.exe PID 4972 wrote to memory of 2104 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe takeown.exe PID 4972 wrote to memory of 1680 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe icacls.exe PID 4972 wrote to memory of 1680 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe icacls.exe PID 4972 wrote to memory of 1680 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe icacls.exe PID 4972 wrote to memory of 4424 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe takeown.exe PID 4972 wrote to memory of 4424 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe takeown.exe PID 4972 wrote to memory of 4424 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe takeown.exe PID 4972 wrote to memory of 4344 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe icacls.exe PID 4972 wrote to memory of 4344 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe icacls.exe PID 4972 wrote to memory of 4344 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe icacls.exe PID 4972 wrote to memory of 3128 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe takeown.exe PID 4972 wrote to memory of 3128 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe takeown.exe PID 4972 wrote to memory of 3128 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe takeown.exe PID 4972 wrote to memory of 4224 4972 88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe"C:\Users\Admin\AppData\Local\Temp\88910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "C:\Windows\system32\vitc.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\system32\vitc.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\vitc.exeFilesize
72KB
MD509ca2311b84a66711318fb4d2b05b8f6
SHA1a82a0de4ca864ebf874a36becbac8df16d222d2f
SHA25688910625e9bb34b1b14ceff82510148c15e0f65c31d194fdd9aa8d6a245b0e29
SHA5128c796b44ae5938e2a4dee734fa607e0b49ff1ca61a29f7b76ea6294ae193e2464cffaefb845d69e00f87d0edd62f9944ed1e2d0280b22a80d5d506ff7a3141f1
-
memory/1060-146-0x0000000000000000-mapping.dmp
-
memory/1092-148-0x0000000000000000-mapping.dmp
-
memory/1100-144-0x0000000000000000-mapping.dmp
-
memory/1180-161-0x0000000000000000-mapping.dmp
-
memory/1360-167-0x0000000000000000-mapping.dmp
-
memory/1392-143-0x0000000000000000-mapping.dmp
-
memory/1508-168-0x0000000000000000-mapping.dmp
-
memory/1680-152-0x0000000000000000-mapping.dmp
-
memory/1816-142-0x0000000000000000-mapping.dmp
-
memory/1960-138-0x0000000000000000-mapping.dmp
-
memory/2104-151-0x0000000000000000-mapping.dmp
-
memory/2148-145-0x0000000000000000-mapping.dmp
-
memory/2360-162-0x0000000000000000-mapping.dmp
-
memory/2372-165-0x0000000000000000-mapping.dmp
-
memory/2440-164-0x0000000000000000-mapping.dmp
-
memory/3128-155-0x0000000000000000-mapping.dmp
-
memory/3156-140-0x0000000000000000-mapping.dmp
-
memory/3164-163-0x0000000000000000-mapping.dmp
-
memory/3428-150-0x0000000000000000-mapping.dmp
-
memory/3432-166-0x0000000000000000-mapping.dmp
-
memory/3448-147-0x0000000000000000-mapping.dmp
-
memory/3508-159-0x0000000000000000-mapping.dmp
-
memory/3696-158-0x0000000000000000-mapping.dmp
-
memory/3804-134-0x0000000000000000-mapping.dmp
-
memory/4020-160-0x0000000000000000-mapping.dmp
-
memory/4080-139-0x0000000000000000-mapping.dmp
-
memory/4224-156-0x0000000000000000-mapping.dmp
-
memory/4344-154-0x0000000000000000-mapping.dmp
-
memory/4424-153-0x0000000000000000-mapping.dmp
-
memory/4596-157-0x0000000000000000-mapping.dmp
-
memory/4608-136-0x0000000000000000-mapping.dmp
-
memory/4756-141-0x0000000000000000-mapping.dmp
-
memory/4808-137-0x0000000000000000-mapping.dmp
-
memory/4948-149-0x0000000000000000-mapping.dmp