17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c

General

Target

17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe
Size

68KB
MD5

06f8a72f74fe4c1bee47cafa743ec036
SHA1

05ea4c17827035d286328891e384f053d694509c
SHA256

17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c
SHA512

34e69be67a79830331c7a27397cb74ba2b57ce790a69cc1cc33ce174fed17cc06c6f3d9d20a53079a34120594a6f222364f96101a2cdcee4de5ba5c34f11854c
SSDEEP

768:p+tkPRYSt8smkiLlkL7mYcZthSRqe/UfWE44LUMraE85rXHIfbTVvBilhNKt5blx:phPcWQHe/UfO4aE85rXoIdVPuk6I4w4

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

takeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exe

pid	process
4956	takeown.exe
2404	icacls.exe
2012	icacls.exe
2040	icacls.exe
1820	icacls.exe
2676	icacls.exe
3104	icacls.exe
3092	icacls.exe
3608	takeown.exe
3616	icacls.exe
3920	takeown.exe
4672	takeown.exe
4892	takeown.exe
2068	takeown.exe
4524	takeown.exe
2068	takeown.exe
4692	takeown.exe
4436	takeown.exe
2720	takeown.exe
224	icacls.exe
3584	icacls.exe
1848	icacls.exe
4788	icacls.exe
2132	icacls.exe
572	icacls.exe
4808	takeown.exe
224	icacls.exe
2608	takeown.exe
3980	takeown.exe
4876	takeown.exe
732	takeown.exe
1772	icacls.exe
4332	icacls.exe
4176	takeown.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File Permissions Modification

T1222

Processes:

icacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exe

pid	process
3104	icacls.exe
224	icacls.exe
4692	takeown.exe
4892	takeown.exe
4788	icacls.exe
4956	takeown.exe
4524	takeown.exe
732	takeown.exe
1820	icacls.exe
3980	takeown.exe
4876	takeown.exe
1772	icacls.exe
2040	icacls.exe
4436	takeown.exe
3608	takeown.exe
2132	icacls.exe
2676	icacls.exe
2720	takeown.exe
3616	icacls.exe
4808	takeown.exe
3584	icacls.exe
2404	icacls.exe
2608	takeown.exe
2068	takeown.exe
224	icacls.exe
3092	icacls.exe
3920	takeown.exe
2012	icacls.exe
2068	takeown.exe
4332	icacls.exe
4176	takeown.exe
4672	takeown.exe
1848	icacls.exe
572	icacls.exe

Drops file in System32 directory 6 IoCs

Processes:

17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\cmd.exe	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe
File created	C:\Windows\SysWOW64\pjshs.exe	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe
File opened for modification	C:\Windows\SysWOW64\pjshs.exe	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3980	takeown.exe
Token: SeTakeOwnershipPrivilege	2068	takeown.exe
Token: SeTakeOwnershipPrivilege	4692	takeown.exe
Token: SeTakeOwnershipPrivilege	4524	takeown.exe
Token: SeTakeOwnershipPrivilege	4436	takeown.exe
Token: SeTakeOwnershipPrivilege	3608	takeown.exe
Token: SeTakeOwnershipPrivilege	2720	takeown.exe
Token: SeTakeOwnershipPrivilege	4176	takeown.exe
Token: SeTakeOwnershipPrivilege	732	takeown.exe
Token: SeTakeOwnershipPrivilege	3920	takeown.exe
Token: SeTakeOwnershipPrivilege	4672	takeown.exe
Token: SeTakeOwnershipPrivilege	4892	takeown.exe
Token: SeTakeOwnershipPrivilege	4876	takeown.exe
Token: SeTakeOwnershipPrivilege	4956	takeown.exe
Token: SeTakeOwnershipPrivilege	2608	takeown.exe
Token: SeTakeOwnershipPrivilege	2068	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe

pid process

4548 17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe

pid	process
4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe

description	pid	process	target process
PID 4548 wrote to memory of 4808	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	takeown.exe
PID 4548 wrote to memory of 4808	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	takeown.exe
PID 4548 wrote to memory of 4808	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	takeown.exe
PID 4548 wrote to memory of 3584	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	icacls.exe
PID 4548 wrote to memory of 3584	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	icacls.exe
PID 4548 wrote to memory of 3584	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	icacls.exe
PID 4548 wrote to memory of 3980	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	takeown.exe
PID 4548 wrote to memory of 3980	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	takeown.exe
PID 4548 wrote to memory of 3980	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	takeown.exe
PID 4548 wrote to memory of 1848	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	icacls.exe
PID 4548 wrote to memory of 1848	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	icacls.exe
PID 4548 wrote to memory of 1848	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	icacls.exe
PID 4548 wrote to memory of 2068	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	takeown.exe
PID 4548 wrote to memory of 2068	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	takeown.exe
PID 4548 wrote to memory of 2068	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	takeown.exe
PID 4548 wrote to memory of 224	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	icacls.exe
PID 4548 wrote to memory of 224	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	icacls.exe
PID 4548 wrote to memory of 224	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	icacls.exe
PID 4548 wrote to memory of 4692	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	takeown.exe
PID 4548 wrote to memory of 4692	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	takeown.exe
PID 4548 wrote to memory of 4692	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	takeown.exe
PID 4548 wrote to memory of 2132	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	icacls.exe
PID 4548 wrote to memory of 2132	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	icacls.exe
PID 4548 wrote to memory of 2132	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	icacls.exe
PID 4548 wrote to memory of 4524	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	takeown.exe
PID 4548 wrote to memory of 4524	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	takeown.exe
PID 4548 wrote to memory of 4524	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	takeown.exe
PID 4548 wrote to memory of 4332	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	icacls.exe
PID 4548 wrote to memory of 4332	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	icacls.exe
PID 4548 wrote to memory of 4332	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	icacls.exe
PID 4548 wrote to memory of 4436	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	takeown.exe
PID 4548 wrote to memory of 4436	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	takeown.exe
PID 4548 wrote to memory of 4436	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	takeown.exe
PID 4548 wrote to memory of 3092	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	icacls.exe
PID 4548 wrote to memory of 3092	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	icacls.exe
PID 4548 wrote to memory of 3092	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	icacls.exe
PID 4548 wrote to memory of 3608	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	takeown.exe
PID 4548 wrote to memory of 3608	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	takeown.exe
PID 4548 wrote to memory of 3608	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	takeown.exe
PID 4548 wrote to memory of 2676	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	icacls.exe
PID 4548 wrote to memory of 2676	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	icacls.exe
PID 4548 wrote to memory of 2676	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	icacls.exe
PID 4548 wrote to memory of 2720	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	takeown.exe
PID 4548 wrote to memory of 2720	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	takeown.exe
PID 4548 wrote to memory of 2720	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	takeown.exe
PID 4548 wrote to memory of 572	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	icacls.exe
PID 4548 wrote to memory of 572	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	icacls.exe
PID 4548 wrote to memory of 572	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	icacls.exe
PID 4548 wrote to memory of 4176	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	takeown.exe
PID 4548 wrote to memory of 4176	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	takeown.exe
PID 4548 wrote to memory of 4176	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	takeown.exe
PID 4548 wrote to memory of 3616	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	icacls.exe
PID 4548 wrote to memory of 3616	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	icacls.exe
PID 4548 wrote to memory of 3616	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	icacls.exe
PID 4548 wrote to memory of 732	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	takeown.exe
PID 4548 wrote to memory of 732	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	takeown.exe
PID 4548 wrote to memory of 732	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	takeown.exe
PID 4548 wrote to memory of 3104	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	icacls.exe
PID 4548 wrote to memory of 3104	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	icacls.exe
PID 4548 wrote to memory of 3104	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	icacls.exe
PID 4548 wrote to memory of 3920	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	takeown.exe
PID 4548 wrote to memory of 3920	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	takeown.exe
PID 4548 wrote to memory of 3920	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	takeown.exe
PID 4548 wrote to memory of 2404	4548	17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe
"C:\Users\Admin\AppData\Local\Temp\17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4548

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\pjshs.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4808

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\pjshs.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3584

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1848

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:224

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4692

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2132

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4332

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3092

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3608

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2676

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:572

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4176

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3616

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:732

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3104

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3920

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2404

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1772

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4788

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4876

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2012

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4956

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2040

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1820

C:\Windows\SysWOW64\takeown.exe
takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Windows\SysWOW64\icacls.exe
icacls.exe "" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\pjshs.exe
Filesize
68KB

MD5
06f8a72f74fe4c1bee47cafa743ec036

SHA1
05ea4c17827035d286328891e384f053d694509c

SHA256
17fd2d057e98bd2819e94950898267351f9d2e8604b8a7df1bfd83c9eb6c417c

SHA512
34e69be67a79830331c7a27397cb74ba2b57ce790a69cc1cc33ce174fed17cc06c6f3d9d20a53079a34120594a6f222364f96101a2cdcee4de5ba5c34f11854c

Download Submit
memory/224-140-0x0000000000000000-mapping.dmp

Download
memory/224-168-0x0000000000000000-mapping.dmp

Download
memory/572-150-0x0000000000000000-mapping.dmp

Download
memory/732-153-0x0000000000000000-mapping.dmp

Download
memory/1772-158-0x0000000000000000-mapping.dmp

Download
memory/1820-166-0x0000000000000000-mapping.dmp

Download
memory/1848-138-0x0000000000000000-mapping.dmp

Download
memory/2012-162-0x0000000000000000-mapping.dmp

Download
memory/2040-164-0x0000000000000000-mapping.dmp

Download
memory/2068-167-0x0000000000000000-mapping.dmp

Download
memory/2068-139-0x0000000000000000-mapping.dmp

Download
memory/2132-142-0x0000000000000000-mapping.dmp

Download
memory/2404-156-0x0000000000000000-mapping.dmp

Download
memory/2608-165-0x0000000000000000-mapping.dmp

Download
memory/2676-148-0x0000000000000000-mapping.dmp

Download
memory/2720-149-0x0000000000000000-mapping.dmp

Download
memory/3092-146-0x0000000000000000-mapping.dmp

Download
memory/3104-154-0x0000000000000000-mapping.dmp

Download
memory/3584-136-0x0000000000000000-mapping.dmp

Download
memory/3608-147-0x0000000000000000-mapping.dmp

Download
memory/3616-152-0x0000000000000000-mapping.dmp

Download
memory/3920-155-0x0000000000000000-mapping.dmp

Download
memory/3980-137-0x0000000000000000-mapping.dmp

Download
memory/4176-151-0x0000000000000000-mapping.dmp

Download
memory/4332-144-0x0000000000000000-mapping.dmp

Download
memory/4436-145-0x0000000000000000-mapping.dmp

Download
memory/4524-143-0x0000000000000000-mapping.dmp

Download
memory/4672-157-0x0000000000000000-mapping.dmp

Download
memory/4692-141-0x0000000000000000-mapping.dmp

Download
memory/4788-160-0x0000000000000000-mapping.dmp

Download
memory/4808-134-0x0000000000000000-mapping.dmp

Download
memory/4876-161-0x0000000000000000-mapping.dmp

Download
memory/4892-159-0x0000000000000000-mapping.dmp

Download
memory/4956-163-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads