Analysis
-
max time kernel
125s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
08-11-2022 09:29
Static task
static1
Behavioral task
behavioral1
Sample
0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe
Resource
win7-20220901-en
General
-
Target
0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe
-
Size
68KB
-
MD5
0ea23ae31c365f335d8f7ae2bd9102e0
-
SHA1
55ec98cf8e28a6bb9466110d7011d8047fe4fc9e
-
SHA256
0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0
-
SHA512
edfee3213aa9a6edc2b52012833f256bc5a4b6e2ab9667e2b2843a49cd7da2c6ecce897e9c3442dc91282de340cae351ce72f7296bdd7455ce56949a910759ee
-
SSDEEP
768:LePg5Ixbki+FsefB9hehPMsmpeh+VZxuLifUBpbDci0Wh1GeZ6Z6jr0FyRWvp4u7:LACFONMN1ZxuLnt6cjrAXOdSeRW
Malware Config
Signatures
-
Possible privilege escalation attempt 34 IoCs
Processes:
takeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exepid process 1496 takeown.exe 4560 takeown.exe 2980 takeown.exe 1760 icacls.exe 448 icacls.exe 4252 takeown.exe 1632 icacls.exe 1068 takeown.exe 2624 takeown.exe 1556 icacls.exe 3200 takeown.exe 4688 icacls.exe 796 icacls.exe 2020 takeown.exe 1884 icacls.exe 1232 icacls.exe 3392 takeown.exe 3872 icacls.exe 2460 icacls.exe 3592 takeown.exe 3872 icacls.exe 3044 icacls.exe 1288 takeown.exe 696 takeown.exe 4972 takeown.exe 4324 takeown.exe 4812 takeown.exe 2476 icacls.exe 5068 takeown.exe 428 icacls.exe 732 icacls.exe 3196 icacls.exe 4048 takeown.exe 2164 icacls.exe -
Modifies file permissions 1 TTPs 34 IoCs
Processes:
icacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exepid process 1232 icacls.exe 4048 takeown.exe 2980 takeown.exe 4812 takeown.exe 3392 takeown.exe 2164 icacls.exe 1556 icacls.exe 4688 icacls.exe 4252 takeown.exe 1068 takeown.exe 3872 icacls.exe 1884 icacls.exe 1632 icacls.exe 696 takeown.exe 732 icacls.exe 2624 takeown.exe 3044 icacls.exe 4324 takeown.exe 796 icacls.exe 4972 takeown.exe 5068 takeown.exe 3196 icacls.exe 1288 takeown.exe 1760 icacls.exe 3872 icacls.exe 2460 icacls.exe 3592 takeown.exe 448 icacls.exe 1496 takeown.exe 3200 takeown.exe 4560 takeown.exe 2476 icacls.exe 428 icacls.exe 2020 takeown.exe -
Drops file in System32 directory 6 IoCs
Processes:
0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exedescription ioc process File opened for modification C:\Windows\SysWOW64\ftp.exe 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe File opened for modification C:\Windows\SysWOW64\wscript.exe 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe File opened for modification C:\Windows\SysWOW64\cscript.exe 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe File created C:\Windows\SysWOW64\rzfdq.exe 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe File opened for modification C:\Windows\SysWOW64\rzfdq.exe 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe File opened for modification C:\Windows\SysWOW64\cmd.exe 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 3200 takeown.exe Token: SeTakeOwnershipPrivilege 4560 takeown.exe Token: SeTakeOwnershipPrivilege 4252 takeown.exe Token: SeTakeOwnershipPrivilege 5068 takeown.exe Token: SeTakeOwnershipPrivilege 4324 takeown.exe Token: SeTakeOwnershipPrivilege 4048 takeown.exe Token: SeTakeOwnershipPrivilege 2980 takeown.exe Token: SeTakeOwnershipPrivilege 1288 takeown.exe Token: SeTakeOwnershipPrivilege 3392 takeown.exe Token: SeTakeOwnershipPrivilege 696 takeown.exe Token: SeTakeOwnershipPrivilege 2020 takeown.exe Token: SeTakeOwnershipPrivilege 1068 takeown.exe Token: SeTakeOwnershipPrivilege 2624 takeown.exe Token: SeTakeOwnershipPrivilege 4972 takeown.exe Token: SeTakeOwnershipPrivilege 3592 takeown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exepid process 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exedescription pid process target process PID 2348 wrote to memory of 1496 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe takeown.exe PID 2348 wrote to memory of 1496 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe takeown.exe PID 2348 wrote to memory of 1496 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe takeown.exe PID 2348 wrote to memory of 3872 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe icacls.exe PID 2348 wrote to memory of 3872 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe icacls.exe PID 2348 wrote to memory of 3872 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe icacls.exe PID 2348 wrote to memory of 3200 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe takeown.exe PID 2348 wrote to memory of 3200 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe takeown.exe PID 2348 wrote to memory of 3200 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe takeown.exe PID 2348 wrote to memory of 4688 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe icacls.exe PID 2348 wrote to memory of 4688 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe icacls.exe PID 2348 wrote to memory of 4688 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe icacls.exe PID 2348 wrote to memory of 4560 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe takeown.exe PID 2348 wrote to memory of 4560 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe takeown.exe PID 2348 wrote to memory of 4560 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe takeown.exe PID 2348 wrote to memory of 1884 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe icacls.exe PID 2348 wrote to memory of 1884 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe icacls.exe PID 2348 wrote to memory of 1884 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe icacls.exe PID 2348 wrote to memory of 4252 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe takeown.exe PID 2348 wrote to memory of 4252 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe takeown.exe PID 2348 wrote to memory of 4252 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe takeown.exe PID 2348 wrote to memory of 3044 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe icacls.exe PID 2348 wrote to memory of 3044 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe icacls.exe PID 2348 wrote to memory of 3044 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe icacls.exe PID 2348 wrote to memory of 5068 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe takeown.exe PID 2348 wrote to memory of 5068 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe takeown.exe PID 2348 wrote to memory of 5068 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe takeown.exe PID 2348 wrote to memory of 1232 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe icacls.exe PID 2348 wrote to memory of 1232 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe icacls.exe PID 2348 wrote to memory of 1232 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe icacls.exe PID 2348 wrote to memory of 4324 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe takeown.exe PID 2348 wrote to memory of 4324 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe takeown.exe PID 2348 wrote to memory of 4324 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe takeown.exe PID 2348 wrote to memory of 3196 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe icacls.exe PID 2348 wrote to memory of 3196 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe icacls.exe PID 2348 wrote to memory of 3196 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe icacls.exe PID 2348 wrote to memory of 4048 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe takeown.exe PID 2348 wrote to memory of 4048 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe takeown.exe PID 2348 wrote to memory of 4048 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe takeown.exe PID 2348 wrote to memory of 428 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe icacls.exe PID 2348 wrote to memory of 428 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe icacls.exe PID 2348 wrote to memory of 428 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe icacls.exe PID 2348 wrote to memory of 2980 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe takeown.exe PID 2348 wrote to memory of 2980 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe takeown.exe PID 2348 wrote to memory of 2980 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe takeown.exe PID 2348 wrote to memory of 1632 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe icacls.exe PID 2348 wrote to memory of 1632 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe icacls.exe PID 2348 wrote to memory of 1632 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe icacls.exe PID 2348 wrote to memory of 1288 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe takeown.exe PID 2348 wrote to memory of 1288 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe takeown.exe PID 2348 wrote to memory of 1288 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe takeown.exe PID 2348 wrote to memory of 796 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe icacls.exe PID 2348 wrote to memory of 796 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe icacls.exe PID 2348 wrote to memory of 796 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe icacls.exe PID 2348 wrote to memory of 4812 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe takeown.exe PID 2348 wrote to memory of 4812 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe takeown.exe PID 2348 wrote to memory of 4812 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe takeown.exe PID 2348 wrote to memory of 1760 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe icacls.exe PID 2348 wrote to memory of 1760 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe icacls.exe PID 2348 wrote to memory of 1760 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe icacls.exe PID 2348 wrote to memory of 3392 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe takeown.exe PID 2348 wrote to memory of 3392 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe takeown.exe PID 2348 wrote to memory of 3392 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe takeown.exe PID 2348 wrote to memory of 3872 2348 0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe"C:\Users\Admin\AppData\Local\Temp\0aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "C:\Windows\system32\rzfdq.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\system32\rzfdq.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\rzfdq.exeFilesize
68KB
MD50ea23ae31c365f335d8f7ae2bd9102e0
SHA155ec98cf8e28a6bb9466110d7011d8047fe4fc9e
SHA2560aec93146603f0f0c0ef5bc074c34f17491bb477416a5c3acf09065ca8accea0
SHA512edfee3213aa9a6edc2b52012833f256bc5a4b6e2ab9667e2b2843a49cd7da2c6ecce897e9c3442dc91282de340cae351ce72f7296bdd7455ce56949a910759ee
-
memory/428-148-0x0000000000000000-mapping.dmp
-
memory/448-168-0x0000000000000000-mapping.dmp
-
memory/696-157-0x0000000000000000-mapping.dmp
-
memory/732-162-0x0000000000000000-mapping.dmp
-
memory/796-152-0x0000000000000000-mapping.dmp
-
memory/1068-161-0x0000000000000000-mapping.dmp
-
memory/1232-144-0x0000000000000000-mapping.dmp
-
memory/1288-151-0x0000000000000000-mapping.dmp
-
memory/1496-134-0x0000000000000000-mapping.dmp
-
memory/1556-166-0x0000000000000000-mapping.dmp
-
memory/1632-150-0x0000000000000000-mapping.dmp
-
memory/1760-154-0x0000000000000000-mapping.dmp
-
memory/1884-140-0x0000000000000000-mapping.dmp
-
memory/2020-159-0x0000000000000000-mapping.dmp
-
memory/2164-158-0x0000000000000000-mapping.dmp
-
memory/2460-160-0x0000000000000000-mapping.dmp
-
memory/2476-164-0x0000000000000000-mapping.dmp
-
memory/2624-163-0x0000000000000000-mapping.dmp
-
memory/2980-149-0x0000000000000000-mapping.dmp
-
memory/3044-142-0x0000000000000000-mapping.dmp
-
memory/3196-146-0x0000000000000000-mapping.dmp
-
memory/3200-137-0x0000000000000000-mapping.dmp
-
memory/3392-155-0x0000000000000000-mapping.dmp
-
memory/3592-167-0x0000000000000000-mapping.dmp
-
memory/3872-156-0x0000000000000000-mapping.dmp
-
memory/3872-136-0x0000000000000000-mapping.dmp
-
memory/4048-147-0x0000000000000000-mapping.dmp
-
memory/4252-141-0x0000000000000000-mapping.dmp
-
memory/4324-145-0x0000000000000000-mapping.dmp
-
memory/4560-139-0x0000000000000000-mapping.dmp
-
memory/4688-138-0x0000000000000000-mapping.dmp
-
memory/4812-153-0x0000000000000000-mapping.dmp
-
memory/4972-165-0x0000000000000000-mapping.dmp
-
memory/5068-143-0x0000000000000000-mapping.dmp