Analysis
-
max time kernel
73s -
max time network
17s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06-11-2022 23:53
Static task
static1
Behavioral task
behavioral1
Sample
3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe
Resource
win7-20220812-en
General
-
Target
3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe
-
Size
68KB
-
MD5
0cab7ae738d38cd1696b4d11ccb1c6f1
-
SHA1
1db970ba877f7cb21667ef1e5f4e4d19a04775f8
-
SHA256
3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec
-
SHA512
ab9bb42929a8f8d6d04d9d946caa53bf9b06ad2ddd7957d73ebb0153820614e6ed4da76265882cc8ebabef88d815d4514d7881226ecc44f25f7416be2910df54
-
SSDEEP
768:sYDBx5I5HbkNc7Rhb+AupEKshmpmAg28Oc2JAp+T5b889kwAEVKoPCpktqxJMVZ9:sOBwFk/ASV/mn/O9kuE/npirLVZy+4a
Malware Config
Signatures
-
Possible privilege escalation attempt 34 IoCs
Processes:
takeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exepid process 1408 takeown.exe 4224 icacls.exe 4452 icacls.exe 3848 icacls.exe 644 icacls.exe 1576 icacls.exe 1984 takeown.exe 4564 icacls.exe 3588 takeown.exe 2376 icacls.exe 4644 takeown.exe 2992 icacls.exe 2264 takeown.exe 1836 icacls.exe 908 takeown.exe 3372 takeown.exe 1612 icacls.exe 3880 icacls.exe 2772 takeown.exe 3112 icacls.exe 1756 icacls.exe 3240 takeown.exe 4844 icacls.exe 316 takeown.exe 1872 takeown.exe 3696 takeown.exe 448 takeown.exe 4836 icacls.exe 5032 takeown.exe 4572 icacls.exe 1036 takeown.exe 4708 takeown.exe 2492 takeown.exe 3604 icacls.exe -
Modifies file permissions 1 TTPs 34 IoCs
Processes:
takeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 3588 takeown.exe 3112 icacls.exe 1576 icacls.exe 2992 icacls.exe 4572 icacls.exe 3848 icacls.exe 4708 takeown.exe 644 icacls.exe 4644 takeown.exe 1836 icacls.exe 2772 takeown.exe 2492 takeown.exe 3372 takeown.exe 4564 icacls.exe 3240 takeown.exe 5032 takeown.exe 908 takeown.exe 2376 icacls.exe 4836 icacls.exe 1612 icacls.exe 316 takeown.exe 3696 takeown.exe 4452 icacls.exe 4844 icacls.exe 1872 takeown.exe 1408 takeown.exe 3604 icacls.exe 4224 icacls.exe 448 takeown.exe 1036 takeown.exe 1984 takeown.exe 3880 icacls.exe 2264 takeown.exe 1756 icacls.exe -
Drops file in System32 directory 6 IoCs
Processes:
3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exedescription ioc process File opened for modification C:\Windows\SysWOW64\cscript.exe 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe File created C:\Windows\SysWOW64\abim.exe 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe File opened for modification C:\Windows\SysWOW64\abim.exe 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe File opened for modification C:\Windows\SysWOW64\cmd.exe 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe File opened for modification C:\Windows\SysWOW64\ftp.exe 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe File opened for modification C:\Windows\SysWOW64\wscript.exe 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 2772 takeown.exe Token: SeTakeOwnershipPrivilege 908 takeown.exe Token: SeTakeOwnershipPrivilege 448 takeown.exe Token: SeTakeOwnershipPrivilege 3588 takeown.exe Token: SeTakeOwnershipPrivilege 4644 takeown.exe Token: SeTakeOwnershipPrivilege 1036 takeown.exe Token: SeTakeOwnershipPrivilege 4708 takeown.exe Token: SeTakeOwnershipPrivilege 3372 takeown.exe Token: SeTakeOwnershipPrivilege 2492 takeown.exe Token: SeTakeOwnershipPrivilege 1984 takeown.exe Token: SeTakeOwnershipPrivilege 316 takeown.exe Token: SeTakeOwnershipPrivilege 1872 takeown.exe Token: SeTakeOwnershipPrivilege 2264 takeown.exe Token: SeTakeOwnershipPrivilege 1408 takeown.exe Token: SeTakeOwnershipPrivilege 3696 takeown.exe Token: SeTakeOwnershipPrivilege 3240 takeown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exepid process 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exedescription pid process target process PID 2732 wrote to memory of 5032 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe takeown.exe PID 2732 wrote to memory of 5032 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe takeown.exe PID 2732 wrote to memory of 5032 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe takeown.exe PID 2732 wrote to memory of 4224 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe icacls.exe PID 2732 wrote to memory of 4224 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe icacls.exe PID 2732 wrote to memory of 4224 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe icacls.exe PID 2732 wrote to memory of 2772 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe takeown.exe PID 2732 wrote to memory of 2772 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe takeown.exe PID 2732 wrote to memory of 2772 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe takeown.exe PID 2732 wrote to memory of 4572 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe icacls.exe PID 2732 wrote to memory of 4572 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe icacls.exe PID 2732 wrote to memory of 4572 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe icacls.exe PID 2732 wrote to memory of 908 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe takeown.exe PID 2732 wrote to memory of 908 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe takeown.exe PID 2732 wrote to memory of 908 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe takeown.exe PID 2732 wrote to memory of 4452 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe icacls.exe PID 2732 wrote to memory of 4452 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe icacls.exe PID 2732 wrote to memory of 4452 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe icacls.exe PID 2732 wrote to memory of 448 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe takeown.exe PID 2732 wrote to memory of 448 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe takeown.exe PID 2732 wrote to memory of 448 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe takeown.exe PID 2732 wrote to memory of 3848 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe icacls.exe PID 2732 wrote to memory of 3848 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe icacls.exe PID 2732 wrote to memory of 3848 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe icacls.exe PID 2732 wrote to memory of 3588 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe takeown.exe PID 2732 wrote to memory of 3588 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe takeown.exe PID 2732 wrote to memory of 3588 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe takeown.exe PID 2732 wrote to memory of 2376 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe icacls.exe PID 2732 wrote to memory of 2376 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe icacls.exe PID 2732 wrote to memory of 2376 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe icacls.exe PID 2732 wrote to memory of 4644 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe takeown.exe PID 2732 wrote to memory of 4644 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe takeown.exe PID 2732 wrote to memory of 4644 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe takeown.exe PID 2732 wrote to memory of 4836 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe icacls.exe PID 2732 wrote to memory of 4836 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe icacls.exe PID 2732 wrote to memory of 4836 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe icacls.exe PID 2732 wrote to memory of 1036 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe takeown.exe PID 2732 wrote to memory of 1036 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe takeown.exe PID 2732 wrote to memory of 1036 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe takeown.exe PID 2732 wrote to memory of 4844 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe icacls.exe PID 2732 wrote to memory of 4844 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe icacls.exe PID 2732 wrote to memory of 4844 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe icacls.exe PID 2732 wrote to memory of 4708 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe takeown.exe PID 2732 wrote to memory of 4708 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe takeown.exe PID 2732 wrote to memory of 4708 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe takeown.exe PID 2732 wrote to memory of 644 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe icacls.exe PID 2732 wrote to memory of 644 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe icacls.exe PID 2732 wrote to memory of 644 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe icacls.exe PID 2732 wrote to memory of 3372 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe takeown.exe PID 2732 wrote to memory of 3372 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe takeown.exe PID 2732 wrote to memory of 3372 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe takeown.exe PID 2732 wrote to memory of 3112 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe icacls.exe PID 2732 wrote to memory of 3112 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe icacls.exe PID 2732 wrote to memory of 3112 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe icacls.exe PID 2732 wrote to memory of 2492 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe takeown.exe PID 2732 wrote to memory of 2492 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe takeown.exe PID 2732 wrote to memory of 2492 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe takeown.exe PID 2732 wrote to memory of 1576 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe icacls.exe PID 2732 wrote to memory of 1576 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe icacls.exe PID 2732 wrote to memory of 1576 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe icacls.exe PID 2732 wrote to memory of 1984 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe takeown.exe PID 2732 wrote to memory of 1984 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe takeown.exe PID 2732 wrote to memory of 1984 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe takeown.exe PID 2732 wrote to memory of 1612 2732 3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe"C:\Users\Admin\AppData\Local\Temp\3e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "C:\Windows\system32\abim.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\system32\abim.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\abim.exeFilesize
68KB
MD50cab7ae738d38cd1696b4d11ccb1c6f1
SHA11db970ba877f7cb21667ef1e5f4e4d19a04775f8
SHA2563e253550b38d64d2a680d1b6824ef842bba4dae170f97802d2c363db95e608ec
SHA512ab9bb42929a8f8d6d04d9d946caa53bf9b06ad2ddd7957d73ebb0153820614e6ed4da76265882cc8ebabef88d815d4514d7881226ecc44f25f7416be2910df54
-
memory/316-157-0x0000000000000000-mapping.dmp
-
memory/448-141-0x0000000000000000-mapping.dmp
-
memory/644-150-0x0000000000000000-mapping.dmp
-
memory/908-139-0x0000000000000000-mapping.dmp
-
memory/1036-147-0x0000000000000000-mapping.dmp
-
memory/1408-163-0x0000000000000000-mapping.dmp
-
memory/1576-154-0x0000000000000000-mapping.dmp
-
memory/1612-156-0x0000000000000000-mapping.dmp
-
memory/1756-166-0x0000000000000000-mapping.dmp
-
memory/1836-164-0x0000000000000000-mapping.dmp
-
memory/1872-159-0x0000000000000000-mapping.dmp
-
memory/1984-155-0x0000000000000000-mapping.dmp
-
memory/2264-161-0x0000000000000000-mapping.dmp
-
memory/2376-144-0x0000000000000000-mapping.dmp
-
memory/2492-153-0x0000000000000000-mapping.dmp
-
memory/2772-137-0x0000000000000000-mapping.dmp
-
memory/2992-158-0x0000000000000000-mapping.dmp
-
memory/3112-152-0x0000000000000000-mapping.dmp
-
memory/3240-167-0x0000000000000000-mapping.dmp
-
memory/3372-151-0x0000000000000000-mapping.dmp
-
memory/3588-143-0x0000000000000000-mapping.dmp
-
memory/3604-168-0x0000000000000000-mapping.dmp
-
memory/3696-165-0x0000000000000000-mapping.dmp
-
memory/3848-142-0x0000000000000000-mapping.dmp
-
memory/3880-160-0x0000000000000000-mapping.dmp
-
memory/4224-136-0x0000000000000000-mapping.dmp
-
memory/4452-140-0x0000000000000000-mapping.dmp
-
memory/4564-162-0x0000000000000000-mapping.dmp
-
memory/4572-138-0x0000000000000000-mapping.dmp
-
memory/4644-145-0x0000000000000000-mapping.dmp
-
memory/4708-149-0x0000000000000000-mapping.dmp
-
memory/4836-146-0x0000000000000000-mapping.dmp
-
memory/4844-148-0x0000000000000000-mapping.dmp
-
memory/5032-134-0x0000000000000000-mapping.dmp