Analysis
-
max time kernel
112s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
06-11-2022 06:47
Static task
static1
Behavioral task
behavioral1
Sample
facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe
Resource
win7-20220901-en
General
-
Target
facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe
-
Size
72KB
-
MD5
31620df922955bc7ac7989e4a7fde6e0
-
SHA1
17a4f735cf75dbf35d7e110221711b7378d0ca1e
-
SHA256
facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42
-
SHA512
a56e78860f49a9ecb1f11334a83b8399865a313c769f9161acaec79b293a9257a5955d3337a59ea9f10b3fcd948517ec4365e422b67b50813347f81345441dc1
-
SSDEEP
1536:sY2GmbO6afLN1IylGzV6/+CiHgRqL6Ihw:sYZmy6aR1xlGzV6GXL6cw
Malware Config
Signatures
-
Possible privilege escalation attempt 34 IoCs
Processes:
takeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exepid process 4608 takeown.exe 4212 takeown.exe 5016 icacls.exe 4728 takeown.exe 4528 takeown.exe 2676 icacls.exe 4716 icacls.exe 2592 icacls.exe 1648 icacls.exe 4892 icacls.exe 696 takeown.exe 3772 icacls.exe 3040 takeown.exe 1936 icacls.exe 4024 takeown.exe 368 icacls.exe 1572 takeown.exe 3512 icacls.exe 1468 icacls.exe 2748 icacls.exe 4276 takeown.exe 2220 icacls.exe 2732 takeown.exe 1892 icacls.exe 4220 icacls.exe 4816 icacls.exe 4120 takeown.exe 824 takeown.exe 380 takeown.exe 512 takeown.exe 4484 icacls.exe 3388 takeown.exe 804 takeown.exe 4988 takeown.exe -
Modifies file permissions 1 TTPs 34 IoCs
Processes:
takeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exepid process 4528 takeown.exe 3388 takeown.exe 2748 icacls.exe 804 takeown.exe 2592 icacls.exe 4220 icacls.exe 696 takeown.exe 3772 icacls.exe 4484 icacls.exe 1936 icacls.exe 4276 takeown.exe 4716 icacls.exe 4608 takeown.exe 4728 takeown.exe 2676 icacls.exe 512 takeown.exe 4024 takeown.exe 1648 icacls.exe 1468 icacls.exe 4892 icacls.exe 1892 icacls.exe 4816 icacls.exe 1572 takeown.exe 5016 icacls.exe 824 takeown.exe 3512 icacls.exe 2732 takeown.exe 368 icacls.exe 4212 takeown.exe 2220 icacls.exe 4120 takeown.exe 380 takeown.exe 3040 takeown.exe 4988 takeown.exe -
Drops file in System32 directory 6 IoCs
Processes:
facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exedescription ioc process File created C:\Windows\SysWOW64\smlx.exe facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe File opened for modification C:\Windows\SysWOW64\smlx.exe facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe File opened for modification C:\Windows\SysWOW64\cmd.exe facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe File opened for modification C:\Windows\SysWOW64\ftp.exe facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe File opened for modification C:\Windows\SysWOW64\wscript.exe facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe File opened for modification C:\Windows\SysWOW64\cscript.exe facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 4728 takeown.exe Token: SeTakeOwnershipPrivilege 4528 takeown.exe Token: SeTakeOwnershipPrivilege 4120 takeown.exe Token: SeTakeOwnershipPrivilege 824 takeown.exe Token: SeTakeOwnershipPrivilege 380 takeown.exe Token: SeTakeOwnershipPrivilege 2732 takeown.exe Token: SeTakeOwnershipPrivilege 512 takeown.exe Token: SeTakeOwnershipPrivilege 3388 takeown.exe Token: SeTakeOwnershipPrivilege 804 takeown.exe Token: SeTakeOwnershipPrivilege 3040 takeown.exe Token: SeTakeOwnershipPrivilege 4988 takeown.exe Token: SeTakeOwnershipPrivilege 4024 takeown.exe Token: SeTakeOwnershipPrivilege 4608 takeown.exe Token: SeTakeOwnershipPrivilege 4212 takeown.exe Token: SeTakeOwnershipPrivilege 4276 takeown.exe Token: SeTakeOwnershipPrivilege 696 takeown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exepid process 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exedescription pid process target process PID 1692 wrote to memory of 1572 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe takeown.exe PID 1692 wrote to memory of 1572 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe takeown.exe PID 1692 wrote to memory of 1572 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe takeown.exe PID 1692 wrote to memory of 5016 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe icacls.exe PID 1692 wrote to memory of 5016 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe icacls.exe PID 1692 wrote to memory of 5016 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe icacls.exe PID 1692 wrote to memory of 4728 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe takeown.exe PID 1692 wrote to memory of 4728 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe takeown.exe PID 1692 wrote to memory of 4728 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe takeown.exe PID 1692 wrote to memory of 2220 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe icacls.exe PID 1692 wrote to memory of 2220 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe icacls.exe PID 1692 wrote to memory of 2220 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe icacls.exe PID 1692 wrote to memory of 4528 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe takeown.exe PID 1692 wrote to memory of 4528 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe takeown.exe PID 1692 wrote to memory of 4528 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe takeown.exe PID 1692 wrote to memory of 4484 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe icacls.exe PID 1692 wrote to memory of 4484 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe icacls.exe PID 1692 wrote to memory of 4484 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe icacls.exe PID 1692 wrote to memory of 4120 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe takeown.exe PID 1692 wrote to memory of 4120 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe takeown.exe PID 1692 wrote to memory of 4120 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe takeown.exe PID 1692 wrote to memory of 1648 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe icacls.exe PID 1692 wrote to memory of 1648 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe icacls.exe PID 1692 wrote to memory of 1648 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe icacls.exe PID 1692 wrote to memory of 824 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe takeown.exe PID 1692 wrote to memory of 824 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe takeown.exe PID 1692 wrote to memory of 824 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe takeown.exe PID 1692 wrote to memory of 3512 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe icacls.exe PID 1692 wrote to memory of 3512 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe icacls.exe PID 1692 wrote to memory of 3512 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe icacls.exe PID 1692 wrote to memory of 380 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe takeown.exe PID 1692 wrote to memory of 380 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe takeown.exe PID 1692 wrote to memory of 380 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe takeown.exe PID 1692 wrote to memory of 2676 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe icacls.exe PID 1692 wrote to memory of 2676 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe icacls.exe PID 1692 wrote to memory of 2676 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe icacls.exe PID 1692 wrote to memory of 2732 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe takeown.exe PID 1692 wrote to memory of 2732 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe takeown.exe PID 1692 wrote to memory of 2732 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe takeown.exe PID 1692 wrote to memory of 4716 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe icacls.exe PID 1692 wrote to memory of 4716 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe icacls.exe PID 1692 wrote to memory of 4716 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe icacls.exe PID 1692 wrote to memory of 512 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe takeown.exe PID 1692 wrote to memory of 512 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe takeown.exe PID 1692 wrote to memory of 512 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe takeown.exe PID 1692 wrote to memory of 1468 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe icacls.exe PID 1692 wrote to memory of 1468 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe icacls.exe PID 1692 wrote to memory of 1468 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe icacls.exe PID 1692 wrote to memory of 3388 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe takeown.exe PID 1692 wrote to memory of 3388 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe takeown.exe PID 1692 wrote to memory of 3388 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe takeown.exe PID 1692 wrote to memory of 2748 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe icacls.exe PID 1692 wrote to memory of 2748 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe icacls.exe PID 1692 wrote to memory of 2748 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe icacls.exe PID 1692 wrote to memory of 804 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe takeown.exe PID 1692 wrote to memory of 804 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe takeown.exe PID 1692 wrote to memory of 804 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe takeown.exe PID 1692 wrote to memory of 4892 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe icacls.exe PID 1692 wrote to memory of 4892 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe icacls.exe PID 1692 wrote to memory of 4892 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe icacls.exe PID 1692 wrote to memory of 3040 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe takeown.exe PID 1692 wrote to memory of 3040 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe takeown.exe PID 1692 wrote to memory of 3040 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe takeown.exe PID 1692 wrote to memory of 2592 1692 facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe"C:\Users\Admin\AppData\Local\Temp\facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "C:\Windows\system32\smlx.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\system32\smlx.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\smlx.exeFilesize
72KB
MD531620df922955bc7ac7989e4a7fde6e0
SHA117a4f735cf75dbf35d7e110221711b7378d0ca1e
SHA256facad88d55740654dc9a67a5e052bc04a2a35a64956071bdaed0ad171f251b42
SHA512a56e78860f49a9ecb1f11334a83b8399865a313c769f9161acaec79b293a9257a5955d3337a59ea9f10b3fcd948517ec4365e422b67b50813347f81345441dc1
-
memory/368-161-0x0000000000000000-mapping.dmp
-
memory/380-146-0x0000000000000000-mapping.dmp
-
memory/512-150-0x0000000000000000-mapping.dmp
-
memory/696-168-0x0000000000000000-mapping.dmp
-
memory/804-154-0x0000000000000000-mapping.dmp
-
memory/824-144-0x0000000000000000-mapping.dmp
-
memory/1468-151-0x0000000000000000-mapping.dmp
-
memory/1572-135-0x0000000000000000-mapping.dmp
-
memory/1648-143-0x0000000000000000-mapping.dmp
-
memory/1892-163-0x0000000000000000-mapping.dmp
-
memory/1936-159-0x0000000000000000-mapping.dmp
-
memory/2220-139-0x0000000000000000-mapping.dmp
-
memory/2592-157-0x0000000000000000-mapping.dmp
-
memory/2676-147-0x0000000000000000-mapping.dmp
-
memory/2732-148-0x0000000000000000-mapping.dmp
-
memory/2748-153-0x0000000000000000-mapping.dmp
-
memory/3040-156-0x0000000000000000-mapping.dmp
-
memory/3388-152-0x0000000000000000-mapping.dmp
-
memory/3512-145-0x0000000000000000-mapping.dmp
-
memory/3772-169-0x0000000000000000-mapping.dmp
-
memory/4024-160-0x0000000000000000-mapping.dmp
-
memory/4120-142-0x0000000000000000-mapping.dmp
-
memory/4212-164-0x0000000000000000-mapping.dmp
-
memory/4220-167-0x0000000000000000-mapping.dmp
-
memory/4276-166-0x0000000000000000-mapping.dmp
-
memory/4484-141-0x0000000000000000-mapping.dmp
-
memory/4528-140-0x0000000000000000-mapping.dmp
-
memory/4608-162-0x0000000000000000-mapping.dmp
-
memory/4716-149-0x0000000000000000-mapping.dmp
-
memory/4728-138-0x0000000000000000-mapping.dmp
-
memory/4816-165-0x0000000000000000-mapping.dmp
-
memory/4892-155-0x0000000000000000-mapping.dmp
-
memory/4988-158-0x0000000000000000-mapping.dmp
-
memory/5016-137-0x0000000000000000-mapping.dmp