Analysis
-
max time kernel
90s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2022 14:30
Static task
static1
Behavioral task
behavioral1
Sample
01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe
Resource
win7-20220901-en
General
-
Target
01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe
-
Size
68KB
-
MD5
0c55e9cc0009f4988fe82c3d56364ae1
-
SHA1
b30ab92cef12c6c6947df445dc8fdb046f785384
-
SHA256
01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787
-
SHA512
dada2ffcf35cb29b6181dfb164b4316960c6fc6b58017ba8523ac2852f347aca78b629505a4a974b565c346adc3aa5094e432f618f062c1a4cea2e382062f454
-
SSDEEP
768:1l3pC6nCe+5tqup0pfXzXg4iOw/D2rRY1hv1Tl/ed45V4peiwRpRQkEps4qKgVwG:P5Hg1DyY1fTdtyezXQX3wCxfKeoKm
Malware Config
Signatures
-
Possible privilege escalation attempt 34 IoCs
Processes:
icacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exepid process 2336 icacls.exe 4908 icacls.exe 2448 takeown.exe 2332 takeown.exe 3336 takeown.exe 5112 icacls.exe 2600 icacls.exe 1684 icacls.exe 3124 icacls.exe 4788 takeown.exe 3280 takeown.exe 1296 takeown.exe 1312 icacls.exe 1464 takeown.exe 4716 icacls.exe 1588 takeown.exe 5064 takeown.exe 3676 takeown.exe 3600 takeown.exe 3684 icacls.exe 4804 takeown.exe 3684 takeown.exe 4356 takeown.exe 4372 icacls.exe 1320 icacls.exe 2020 icacls.exe 1032 icacls.exe 5112 takeown.exe 3608 takeown.exe 1132 icacls.exe 952 takeown.exe 4028 icacls.exe 2116 icacls.exe 4656 icacls.exe -
Modifies file permissions 1 TTPs 34 IoCs
Processes:
icacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exepid process 4372 icacls.exe 1320 icacls.exe 1296 takeown.exe 3608 takeown.exe 5112 icacls.exe 1684 icacls.exe 1464 takeown.exe 2332 takeown.exe 2020 icacls.exe 4788 takeown.exe 5064 takeown.exe 4356 takeown.exe 3676 takeown.exe 3684 takeown.exe 1312 icacls.exe 952 takeown.exe 3600 takeown.exe 4028 icacls.exe 4716 icacls.exe 3124 icacls.exe 3684 icacls.exe 4656 icacls.exe 1132 icacls.exe 2600 icacls.exe 3336 takeown.exe 4804 takeown.exe 2336 icacls.exe 2448 takeown.exe 3280 takeown.exe 2116 icacls.exe 5112 takeown.exe 1588 takeown.exe 4908 icacls.exe 1032 icacls.exe -
Drops file in System32 directory 6 IoCs
Processes:
01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exedescription ioc process File opened for modification C:\Windows\SysWOW64\wscript.exe 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe File opened for modification C:\Windows\SysWOW64\cscript.exe 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe File created C:\Windows\SysWOW64\rozy.exe 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe File opened for modification C:\Windows\SysWOW64\rozy.exe 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe File opened for modification C:\Windows\SysWOW64\cmd.exe 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe File opened for modification C:\Windows\SysWOW64\ftp.exe 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 3608 takeown.exe Token: SeTakeOwnershipPrivilege 1588 takeown.exe Token: SeTakeOwnershipPrivilege 3684 takeown.exe Token: SeTakeOwnershipPrivilege 5064 takeown.exe Token: SeTakeOwnershipPrivilege 4356 takeown.exe Token: SeTakeOwnershipPrivilege 952 takeown.exe Token: SeTakeOwnershipPrivilege 3676 takeown.exe Token: SeTakeOwnershipPrivilege 3600 takeown.exe Token: SeTakeOwnershipPrivilege 1296 takeown.exe Token: SeTakeOwnershipPrivilege 2448 takeown.exe Token: SeTakeOwnershipPrivilege 1464 takeown.exe Token: SeTakeOwnershipPrivilege 2332 takeown.exe Token: SeTakeOwnershipPrivilege 3336 takeown.exe Token: SeTakeOwnershipPrivilege 4788 takeown.exe Token: SeTakeOwnershipPrivilege 3280 takeown.exe Token: SeTakeOwnershipPrivilege 5112 takeown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exepid process 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exedescription pid process target process PID 2804 wrote to memory of 4804 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe takeown.exe PID 2804 wrote to memory of 4804 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe takeown.exe PID 2804 wrote to memory of 4804 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe takeown.exe PID 2804 wrote to memory of 4656 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe icacls.exe PID 2804 wrote to memory of 4656 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe icacls.exe PID 2804 wrote to memory of 4656 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe icacls.exe PID 2804 wrote to memory of 3608 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe takeown.exe PID 2804 wrote to memory of 3608 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe takeown.exe PID 2804 wrote to memory of 3608 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe takeown.exe PID 2804 wrote to memory of 1132 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe icacls.exe PID 2804 wrote to memory of 1132 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe icacls.exe PID 2804 wrote to memory of 1132 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe icacls.exe PID 2804 wrote to memory of 1588 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe takeown.exe PID 2804 wrote to memory of 1588 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe takeown.exe PID 2804 wrote to memory of 1588 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe takeown.exe PID 2804 wrote to memory of 5112 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe icacls.exe PID 2804 wrote to memory of 5112 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe icacls.exe PID 2804 wrote to memory of 5112 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe icacls.exe PID 2804 wrote to memory of 3684 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe takeown.exe PID 2804 wrote to memory of 3684 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe takeown.exe PID 2804 wrote to memory of 3684 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe takeown.exe PID 2804 wrote to memory of 4908 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe icacls.exe PID 2804 wrote to memory of 4908 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe icacls.exe PID 2804 wrote to memory of 4908 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe icacls.exe PID 2804 wrote to memory of 5064 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe takeown.exe PID 2804 wrote to memory of 5064 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe takeown.exe PID 2804 wrote to memory of 5064 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe takeown.exe PID 2804 wrote to memory of 2336 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe icacls.exe PID 2804 wrote to memory of 2336 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe icacls.exe PID 2804 wrote to memory of 2336 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe icacls.exe PID 2804 wrote to memory of 4356 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe takeown.exe PID 2804 wrote to memory of 4356 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe takeown.exe PID 2804 wrote to memory of 4356 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe takeown.exe PID 2804 wrote to memory of 1312 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe icacls.exe PID 2804 wrote to memory of 1312 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe icacls.exe PID 2804 wrote to memory of 1312 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe icacls.exe PID 2804 wrote to memory of 952 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe takeown.exe PID 2804 wrote to memory of 952 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe takeown.exe PID 2804 wrote to memory of 952 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe takeown.exe PID 2804 wrote to memory of 4372 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe icacls.exe PID 2804 wrote to memory of 4372 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe icacls.exe PID 2804 wrote to memory of 4372 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe icacls.exe PID 2804 wrote to memory of 3676 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe takeown.exe PID 2804 wrote to memory of 3676 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe takeown.exe PID 2804 wrote to memory of 3676 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe takeown.exe PID 2804 wrote to memory of 1320 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe icacls.exe PID 2804 wrote to memory of 1320 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe icacls.exe PID 2804 wrote to memory of 1320 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe icacls.exe PID 2804 wrote to memory of 3600 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe takeown.exe PID 2804 wrote to memory of 3600 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe takeown.exe PID 2804 wrote to memory of 3600 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe takeown.exe PID 2804 wrote to memory of 2600 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe icacls.exe PID 2804 wrote to memory of 2600 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe icacls.exe PID 2804 wrote to memory of 2600 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe icacls.exe PID 2804 wrote to memory of 1296 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe takeown.exe PID 2804 wrote to memory of 1296 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe takeown.exe PID 2804 wrote to memory of 1296 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe takeown.exe PID 2804 wrote to memory of 4028 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe icacls.exe PID 2804 wrote to memory of 4028 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe icacls.exe PID 2804 wrote to memory of 4028 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe icacls.exe PID 2804 wrote to memory of 2448 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe takeown.exe PID 2804 wrote to memory of 2448 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe takeown.exe PID 2804 wrote to memory of 2448 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe takeown.exe PID 2804 wrote to memory of 1684 2804 01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe"C:\Users\Admin\AppData\Local\Temp\01476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "C:\Windows\system32\rozy.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4804 -
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\system32\rozy.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4656 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3608 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1132 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1588 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5112 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3684 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4908 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5064 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2336 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4356 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1312 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:952 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4372 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3676 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1320 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3600 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2600 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1296 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4028 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2448 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1684 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1464 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4716 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2332 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2020 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3336 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3124 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4788 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2116 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3280 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1032 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5112 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3684
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\rozy.exeFilesize
68KB
MD50c55e9cc0009f4988fe82c3d56364ae1
SHA1b30ab92cef12c6c6947df445dc8fdb046f785384
SHA25601476887bff645b770977d6ffb6c732a047d457eecd3497ca569ef29fc905787
SHA512dada2ffcf35cb29b6181dfb164b4316960c6fc6b58017ba8523ac2852f347aca78b629505a4a974b565c346adc3aa5094e432f618f062c1a4cea2e382062f454
-
memory/952-147-0x0000000000000000-mapping.dmp
-
memory/1032-166-0x0000000000000000-mapping.dmp
-
memory/1132-138-0x0000000000000000-mapping.dmp
-
memory/1296-153-0x0000000000000000-mapping.dmp
-
memory/1312-146-0x0000000000000000-mapping.dmp
-
memory/1320-150-0x0000000000000000-mapping.dmp
-
memory/1464-157-0x0000000000000000-mapping.dmp
-
memory/1588-139-0x0000000000000000-mapping.dmp
-
memory/1684-156-0x0000000000000000-mapping.dmp
-
memory/2020-160-0x0000000000000000-mapping.dmp
-
memory/2116-164-0x0000000000000000-mapping.dmp
-
memory/2332-159-0x0000000000000000-mapping.dmp
-
memory/2336-144-0x0000000000000000-mapping.dmp
-
memory/2448-155-0x0000000000000000-mapping.dmp
-
memory/2600-152-0x0000000000000000-mapping.dmp
-
memory/3124-162-0x0000000000000000-mapping.dmp
-
memory/3280-165-0x0000000000000000-mapping.dmp
-
memory/3336-161-0x0000000000000000-mapping.dmp
-
memory/3600-151-0x0000000000000000-mapping.dmp
-
memory/3608-137-0x0000000000000000-mapping.dmp
-
memory/3676-149-0x0000000000000000-mapping.dmp
-
memory/3684-141-0x0000000000000000-mapping.dmp
-
memory/3684-168-0x0000000000000000-mapping.dmp
-
memory/4028-154-0x0000000000000000-mapping.dmp
-
memory/4356-145-0x0000000000000000-mapping.dmp
-
memory/4372-148-0x0000000000000000-mapping.dmp
-
memory/4656-136-0x0000000000000000-mapping.dmp
-
memory/4716-158-0x0000000000000000-mapping.dmp
-
memory/4788-163-0x0000000000000000-mapping.dmp
-
memory/4804-134-0x0000000000000000-mapping.dmp
-
memory/4908-142-0x0000000000000000-mapping.dmp
-
memory/5064-143-0x0000000000000000-mapping.dmp
-
memory/5112-167-0x0000000000000000-mapping.dmp
-
memory/5112-140-0x0000000000000000-mapping.dmp