0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e

Analysis

max time kernel
160s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe
Size

68KB
MD5

15b222e230f32f377982fdcffa0a6771
SHA1

89c3ddd16938a6f1aeb73f27a717d545c9de98cc
SHA256

0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e
SHA512

3b0b3e86e6fa1072e3d3411f0d6c34f728176959abfd2f728eff41b35ed27a95145fd803da845dd38d7c543f54abc2efa03a53f1e5cb300489545bec061e7510
SSDEEP

768:l7c26u0ujY+6+zAehBmJ+9hUykr4VDOtF1qyvFTPk7BRIztyiwLdV3cRnffCXe:lN3AgflE1qrBy3Ee

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

takeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exe

pid	process
2072	takeown.exe
1960	takeown.exe
4712	takeown.exe
3932	icacls.exe
1120	takeown.exe
1604	icacls.exe
100	takeown.exe
4112	icacls.exe
2684	takeown.exe
2328	takeown.exe
1056	icacls.exe
4436	icacls.exe
1940	icacls.exe
4948	icacls.exe
2052	takeown.exe
4520	icacls.exe
456	icacls.exe
764	icacls.exe
2432	icacls.exe
2264	icacls.exe
3208	icacls.exe
4912	takeown.exe
2680	takeown.exe
3760	takeown.exe
4696	takeown.exe
1800	takeown.exe
1324	icacls.exe
3852	takeown.exe
3596	takeown.exe
4736	takeown.exe
4324	icacls.exe
1644	icacls.exe
1336	takeown.exe
3376	icacls.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exe

pid	process
3208	icacls.exe
4696	takeown.exe
4912	takeown.exe
1644	icacls.exe
1056	icacls.exe
1800	takeown.exe
100	takeown.exe
2264	icacls.exe
2684	takeown.exe
2328	takeown.exe
4324	icacls.exe
4436	icacls.exe
764	icacls.exe
3596	takeown.exe
2432	icacls.exe
1960	takeown.exe
1120	takeown.exe
456	icacls.exe
3852	takeown.exe
1604	icacls.exe
3376	icacls.exe
3760	takeown.exe
2072	takeown.exe
4112	icacls.exe
3932	icacls.exe
4736	takeown.exe
1940	icacls.exe
2052	takeown.exe
4520	icacls.exe
1324	icacls.exe
4948	icacls.exe
2680	takeown.exe
1336	takeown.exe
4712	takeown.exe

Drops file in System32 directory 6 IoCs

Processes:

0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\cmd.exe	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe
File created	C:\Windows\SysWOW64\btwp.exe	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe
File opened for modification	C:\Windows\SysWOW64\btwp.exe	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4912	takeown.exe
Token: SeTakeOwnershipPrivilege	3852	takeown.exe
Token: SeTakeOwnershipPrivilege	2328	takeown.exe
Token: SeTakeOwnershipPrivilege	100	takeown.exe
Token: SeTakeOwnershipPrivilege	2680	takeown.exe
Token: SeTakeOwnershipPrivilege	3760	takeown.exe
Token: SeTakeOwnershipPrivilege	2072	takeown.exe
Token: SeTakeOwnershipPrivilege	3596	takeown.exe
Token: SeTakeOwnershipPrivilege	1336	takeown.exe
Token: SeTakeOwnershipPrivilege	4736	takeown.exe
Token: SeTakeOwnershipPrivilege	1800	takeown.exe
Token: SeTakeOwnershipPrivilege	1960	takeown.exe
Token: SeTakeOwnershipPrivilege	2052	takeown.exe
Token: SeTakeOwnershipPrivilege	2684	takeown.exe
Token: SeTakeOwnershipPrivilege	4712	takeown.exe
Token: SeTakeOwnershipPrivilege	4696	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe

pid process

924 0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe

pid	process
924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe

description	pid	process	target process
PID 924 wrote to memory of 1120	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	takeown.exe
PID 924 wrote to memory of 1120	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	takeown.exe
PID 924 wrote to memory of 1120	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	takeown.exe
PID 924 wrote to memory of 456	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	icacls.exe
PID 924 wrote to memory of 456	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	icacls.exe
PID 924 wrote to memory of 456	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	icacls.exe
PID 924 wrote to memory of 4912	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	takeown.exe
PID 924 wrote to memory of 4912	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	takeown.exe
PID 924 wrote to memory of 4912	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	takeown.exe
PID 924 wrote to memory of 1324	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	icacls.exe
PID 924 wrote to memory of 1324	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	icacls.exe
PID 924 wrote to memory of 1324	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	icacls.exe
PID 924 wrote to memory of 3852	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	takeown.exe
PID 924 wrote to memory of 3852	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	takeown.exe
PID 924 wrote to memory of 3852	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	takeown.exe
PID 924 wrote to memory of 4324	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	icacls.exe
PID 924 wrote to memory of 4324	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	icacls.exe
PID 924 wrote to memory of 4324	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	icacls.exe
PID 924 wrote to memory of 2328	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	takeown.exe
PID 924 wrote to memory of 2328	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	takeown.exe
PID 924 wrote to memory of 2328	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	takeown.exe
PID 924 wrote to memory of 1604	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	icacls.exe
PID 924 wrote to memory of 1604	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	icacls.exe
PID 924 wrote to memory of 1604	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	icacls.exe
PID 924 wrote to memory of 100	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	takeown.exe
PID 924 wrote to memory of 100	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	takeown.exe
PID 924 wrote to memory of 100	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	takeown.exe
PID 924 wrote to memory of 4948	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	icacls.exe
PID 924 wrote to memory of 4948	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	icacls.exe
PID 924 wrote to memory of 4948	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	icacls.exe
PID 924 wrote to memory of 2680	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	takeown.exe
PID 924 wrote to memory of 2680	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	takeown.exe
PID 924 wrote to memory of 2680	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	takeown.exe
PID 924 wrote to memory of 764	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	icacls.exe
PID 924 wrote to memory of 764	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	icacls.exe
PID 924 wrote to memory of 764	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	icacls.exe
PID 924 wrote to memory of 3760	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	takeown.exe
PID 924 wrote to memory of 3760	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	takeown.exe
PID 924 wrote to memory of 3760	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	takeown.exe
PID 924 wrote to memory of 4112	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	icacls.exe
PID 924 wrote to memory of 4112	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	icacls.exe
PID 924 wrote to memory of 4112	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	icacls.exe
PID 924 wrote to memory of 2072	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	takeown.exe
PID 924 wrote to memory of 2072	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	takeown.exe
PID 924 wrote to memory of 2072	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	takeown.exe
PID 924 wrote to memory of 1644	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	icacls.exe
PID 924 wrote to memory of 1644	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	icacls.exe
PID 924 wrote to memory of 1644	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	icacls.exe
PID 924 wrote to memory of 3596	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	takeown.exe
PID 924 wrote to memory of 3596	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	takeown.exe
PID 924 wrote to memory of 3596	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	takeown.exe
PID 924 wrote to memory of 2432	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	icacls.exe
PID 924 wrote to memory of 2432	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	icacls.exe
PID 924 wrote to memory of 2432	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	icacls.exe
PID 924 wrote to memory of 1336	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	takeown.exe
PID 924 wrote to memory of 1336	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	takeown.exe
PID 924 wrote to memory of 1336	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	takeown.exe
PID 924 wrote to memory of 1056	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	icacls.exe
PID 924 wrote to memory of 1056	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	icacls.exe
PID 924 wrote to memory of 1056	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	icacls.exe
PID 924 wrote to memory of 4736	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	takeown.exe
PID 924 wrote to memory of 4736	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	takeown.exe
PID 924 wrote to memory of 4736	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	takeown.exe
PID 924 wrote to memory of 4436	924	0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe
"C:\Users\Admin\AppData\Local\Temp\0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:924
- C:\Windows\SysWOW64\takeown.exe
  C:\Windows\system32\takeown.exe /f "C:\Windows\system32\btwp.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1120
- C:\Windows\SysWOW64\icacls.exe
  C:\Windows\system32\icacls.exe "C:\Windows\system32\btwp.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:456
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\cmd.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4912
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1324
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\cmd.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:3852
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4324
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\ftp.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1604
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\ftp.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:100
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4948
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\wscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:764
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\wscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:3760
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4112
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\cscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1644
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\cscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:3596
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2432
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1336
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1056
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4736
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4436
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1940
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1960
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2264
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2052
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4520
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3208
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4712
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3376
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4696
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\btwp.exe

Filesize
68KB

MD5
15b222e230f32f377982fdcffa0a6771

SHA1
89c3ddd16938a6f1aeb73f27a717d545c9de98cc

SHA256
0c2659ad4dc8826ddddf18c68f572613fd5b5541dec5822027d34a03c519625e

SHA512
3b0b3e86e6fa1072e3d3411f0d6c34f728176959abfd2f728eff41b35ed27a95145fd803da845dd38d7c543f54abc2efa03a53f1e5cb300489545bec061e7510

Download Submit
memory/100-143-0x0000000000000000-mapping.dmp

Download
memory/456-136-0x0000000000000000-mapping.dmp

Download
memory/764-146-0x0000000000000000-mapping.dmp

Download
memory/1056-154-0x0000000000000000-mapping.dmp

Download
memory/1120-134-0x0000000000000000-mapping.dmp

Download
memory/1324-138-0x0000000000000000-mapping.dmp

Download
memory/1336-153-0x0000000000000000-mapping.dmp

Download
memory/1604-142-0x0000000000000000-mapping.dmp

Download
memory/1644-150-0x0000000000000000-mapping.dmp

Download
memory/1800-157-0x0000000000000000-mapping.dmp

Download
memory/1940-158-0x0000000000000000-mapping.dmp

Download
memory/1960-159-0x0000000000000000-mapping.dmp

Download
memory/2052-161-0x0000000000000000-mapping.dmp

Download
memory/2072-149-0x0000000000000000-mapping.dmp

Download
memory/2264-160-0x0000000000000000-mapping.dmp

Download
memory/2328-141-0x0000000000000000-mapping.dmp

Download
memory/2432-152-0x0000000000000000-mapping.dmp

Download
memory/2680-145-0x0000000000000000-mapping.dmp

Download
memory/2684-163-0x0000000000000000-mapping.dmp

Download
memory/3208-164-0x0000000000000000-mapping.dmp

Download
memory/3376-166-0x0000000000000000-mapping.dmp

Download
memory/3596-151-0x0000000000000000-mapping.dmp

Download
memory/3760-147-0x0000000000000000-mapping.dmp

Download
memory/3852-139-0x0000000000000000-mapping.dmp

Download
memory/3932-168-0x0000000000000000-mapping.dmp

Download
memory/4112-148-0x0000000000000000-mapping.dmp

Download
memory/4324-140-0x0000000000000000-mapping.dmp

Download
memory/4436-156-0x0000000000000000-mapping.dmp

Download
memory/4520-162-0x0000000000000000-mapping.dmp

Download
memory/4696-167-0x0000000000000000-mapping.dmp

Download
memory/4712-165-0x0000000000000000-mapping.dmp

Download
memory/4736-155-0x0000000000000000-mapping.dmp

Download
memory/4912-137-0x0000000000000000-mapping.dmp

Download
memory/4948-144-0x0000000000000000-mapping.dmp

Download