985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa

Analysis

max time kernel
99s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe
Size

68KB
MD5

072fe3db05d9d49802ecdd5e1233fe86
SHA1

696c07ad40f8a5cee2a5de15393689b489be6ae8
SHA256

985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa
SHA512

a0ce0013c13cfdebf0cda24297291656c71fe933c8f50b7d07ace13883bba84906be2a6097011518dfb97bb6e9b55eff02eecaab4c29b01dfc3ccf2d14cf8e5c
SSDEEP

1536:CU1/lCNT4B7U44KtNQ+FY6eABkA4X0g4RLSl:CMlVBU6tNQwh14H9l

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exe

pid	process
4056	icacls.exe
4636	takeown.exe
1648	icacls.exe
3676	takeown.exe
3584	icacls.exe
4536	icacls.exe
2312	takeown.exe
3840	takeown.exe
3620	takeown.exe
316	icacls.exe
1244	icacls.exe
2464	icacls.exe
4084	takeown.exe
4332	icacls.exe
3540	takeown.exe
3064	takeown.exe
4992	icacls.exe
3432	icacls.exe
5044	takeown.exe
3112	icacls.exe
1988	takeown.exe
4896	takeown.exe
3100	takeown.exe
524	takeown.exe
3400	takeown.exe
4644	takeown.exe
2696	icacls.exe
2280	icacls.exe
3172	icacls.exe
1924	takeown.exe
3920	takeown.exe
1292	icacls.exe
3168	icacls.exe
1772	icacls.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exe

pid	process
3168	icacls.exe
1772	icacls.exe
2280	icacls.exe
3840	takeown.exe
4332	icacls.exe
4896	takeown.exe
3112	icacls.exe
3064	takeown.exe
316	icacls.exe
1924	takeown.exe
3920	takeown.exe
3400	takeown.exe
3432	icacls.exe
1244	icacls.exe
4992	icacls.exe
2312	takeown.exe
4636	takeown.exe
3676	takeown.exe
3584	icacls.exe
2696	icacls.exe
1648	icacls.exe
524	takeown.exe
2464	icacls.exe
3620	takeown.exe
1292	icacls.exe
5044	takeown.exe
3540	takeown.exe
4056	icacls.exe
3100	takeown.exe
4536	icacls.exe
4644	takeown.exe
1988	takeown.exe
4084	takeown.exe
3172	icacls.exe

Drops file in System32 directory 6 IoCs

Processes:

985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\zdmyh.exe	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe
File created	C:\Windows\SysWOW64\zdmyh.exe	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	524	takeown.exe
Token: SeTakeOwnershipPrivilege	1924	takeown.exe
Token: SeTakeOwnershipPrivilege	3920	takeown.exe
Token: SeTakeOwnershipPrivilege	3400	takeown.exe
Token: SeTakeOwnershipPrivilege	4644	takeown.exe
Token: SeTakeOwnershipPrivilege	2312	takeown.exe
Token: SeTakeOwnershipPrivilege	1988	takeown.exe
Token: SeTakeOwnershipPrivilege	4084	takeown.exe
Token: SeTakeOwnershipPrivilege	5044	takeown.exe
Token: SeTakeOwnershipPrivilege	3840	takeown.exe
Token: SeTakeOwnershipPrivilege	4636	takeown.exe
Token: SeTakeOwnershipPrivilege	4896	takeown.exe
Token: SeTakeOwnershipPrivilege	3540	takeown.exe
Token: SeTakeOwnershipPrivilege	3064	takeown.exe
Token: SeTakeOwnershipPrivilege	3676	takeown.exe
Token: SeTakeOwnershipPrivilege	3620	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe

pid process

1200 985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe

pid	process
1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe

description	pid	process	target process
PID 1200 wrote to memory of 3100	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	takeown.exe
PID 1200 wrote to memory of 3100	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	takeown.exe
PID 1200 wrote to memory of 3100	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	takeown.exe
PID 1200 wrote to memory of 4992	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	icacls.exe
PID 1200 wrote to memory of 4992	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	icacls.exe
PID 1200 wrote to memory of 4992	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	icacls.exe
PID 1200 wrote to memory of 524	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	takeown.exe
PID 1200 wrote to memory of 524	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	takeown.exe
PID 1200 wrote to memory of 524	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	takeown.exe
PID 1200 wrote to memory of 3584	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	icacls.exe
PID 1200 wrote to memory of 3584	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	icacls.exe
PID 1200 wrote to memory of 3584	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	icacls.exe
PID 1200 wrote to memory of 1924	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	takeown.exe
PID 1200 wrote to memory of 1924	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	takeown.exe
PID 1200 wrote to memory of 1924	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	takeown.exe
PID 1200 wrote to memory of 4536	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	icacls.exe
PID 1200 wrote to memory of 4536	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	icacls.exe
PID 1200 wrote to memory of 4536	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	icacls.exe
PID 1200 wrote to memory of 3920	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	takeown.exe
PID 1200 wrote to memory of 3920	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	takeown.exe
PID 1200 wrote to memory of 3920	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	takeown.exe
PID 1200 wrote to memory of 1292	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	icacls.exe
PID 1200 wrote to memory of 1292	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	icacls.exe
PID 1200 wrote to memory of 1292	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	icacls.exe
PID 1200 wrote to memory of 3400	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	takeown.exe
PID 1200 wrote to memory of 3400	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	takeown.exe
PID 1200 wrote to memory of 3400	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	takeown.exe
PID 1200 wrote to memory of 3168	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	icacls.exe
PID 1200 wrote to memory of 3168	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	icacls.exe
PID 1200 wrote to memory of 3168	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	icacls.exe
PID 1200 wrote to memory of 4644	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	takeown.exe
PID 1200 wrote to memory of 4644	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	takeown.exe
PID 1200 wrote to memory of 4644	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	takeown.exe
PID 1200 wrote to memory of 1772	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	icacls.exe
PID 1200 wrote to memory of 1772	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	icacls.exe
PID 1200 wrote to memory of 1772	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	icacls.exe
PID 1200 wrote to memory of 2312	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	takeown.exe
PID 1200 wrote to memory of 2312	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	takeown.exe
PID 1200 wrote to memory of 2312	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	takeown.exe
PID 1200 wrote to memory of 3432	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	icacls.exe
PID 1200 wrote to memory of 3432	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	icacls.exe
PID 1200 wrote to memory of 3432	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	icacls.exe
PID 1200 wrote to memory of 1988	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	takeown.exe
PID 1200 wrote to memory of 1988	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	takeown.exe
PID 1200 wrote to memory of 1988	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	takeown.exe
PID 1200 wrote to memory of 2696	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	icacls.exe
PID 1200 wrote to memory of 2696	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	icacls.exe
PID 1200 wrote to memory of 2696	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	icacls.exe
PID 1200 wrote to memory of 4084	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	takeown.exe
PID 1200 wrote to memory of 4084	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	takeown.exe
PID 1200 wrote to memory of 4084	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	takeown.exe
PID 1200 wrote to memory of 2280	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	icacls.exe
PID 1200 wrote to memory of 2280	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	icacls.exe
PID 1200 wrote to memory of 2280	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	icacls.exe
PID 1200 wrote to memory of 5044	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	takeown.exe
PID 1200 wrote to memory of 5044	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	takeown.exe
PID 1200 wrote to memory of 5044	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	takeown.exe
PID 1200 wrote to memory of 1244	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	icacls.exe
PID 1200 wrote to memory of 1244	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	icacls.exe
PID 1200 wrote to memory of 1244	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	icacls.exe
PID 1200 wrote to memory of 3840	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	takeown.exe
PID 1200 wrote to memory of 3840	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	takeown.exe
PID 1200 wrote to memory of 3840	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	takeown.exe
PID 1200 wrote to memory of 4056	1200	985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe
"C:\Users\Admin\AppData\Local\Temp\985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Windows\SysWOW64\takeown.exe
  C:\Windows\system32\takeown.exe /f "C:\Windows\system32\zdmyh.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3100
- C:\Windows\SysWOW64\icacls.exe
  C:\Windows\system32\icacls.exe "C:\Windows\system32\zdmyh.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4992
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\cmd.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:524
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3584
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\cmd.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1924
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4536
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\ftp.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:3920
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1292
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\ftp.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:3400
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3168
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\wscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4644
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1772
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\wscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2312
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3432
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\cscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1988
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2696
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\cscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4084
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2280
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:5044
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1244
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:3840
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4056
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4636
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4332
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4896
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1648
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:3540
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3112
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:3064
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2464
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:3676
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3172
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:3620
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\zdmyh.exe

Filesize
68KB

MD5
072fe3db05d9d49802ecdd5e1233fe86

SHA1
696c07ad40f8a5cee2a5de15393689b489be6ae8

SHA256
985f5eafb6a8a188adb1f5969f410aafbc1853a16ee5e182bc14fbebe18025aa

SHA512
a0ce0013c13cfdebf0cda24297291656c71fe933c8f50b7d07ace13883bba84906be2a6097011518dfb97bb6e9b55eff02eecaab4c29b01dfc3ccf2d14cf8e5c

Download Submit
memory/316-168-0x0000000000000000-mapping.dmp

Download
memory/524-137-0x0000000000000000-mapping.dmp

Download
memory/1244-154-0x0000000000000000-mapping.dmp

Download
memory/1292-142-0x0000000000000000-mapping.dmp

Download
memory/1648-160-0x0000000000000000-mapping.dmp

Download
memory/1772-146-0x0000000000000000-mapping.dmp

Download
memory/1924-139-0x0000000000000000-mapping.dmp

Download
memory/1988-149-0x0000000000000000-mapping.dmp

Download
memory/2280-152-0x0000000000000000-mapping.dmp

Download
memory/2312-147-0x0000000000000000-mapping.dmp

Download
memory/2464-164-0x0000000000000000-mapping.dmp

Download
memory/2696-150-0x0000000000000000-mapping.dmp

Download
memory/3064-163-0x0000000000000000-mapping.dmp

Download
memory/3100-134-0x0000000000000000-mapping.dmp

Download
memory/3112-162-0x0000000000000000-mapping.dmp

Download
memory/3168-144-0x0000000000000000-mapping.dmp

Download
memory/3172-166-0x0000000000000000-mapping.dmp

Download
memory/3400-143-0x0000000000000000-mapping.dmp

Download
memory/3432-148-0x0000000000000000-mapping.dmp

Download
memory/3540-161-0x0000000000000000-mapping.dmp

Download
memory/3584-138-0x0000000000000000-mapping.dmp

Download
memory/3620-167-0x0000000000000000-mapping.dmp

Download
memory/3676-165-0x0000000000000000-mapping.dmp

Download
memory/3840-155-0x0000000000000000-mapping.dmp

Download
memory/3920-141-0x0000000000000000-mapping.dmp

Download
memory/4056-156-0x0000000000000000-mapping.dmp

Download
memory/4084-151-0x0000000000000000-mapping.dmp

Download
memory/4332-158-0x0000000000000000-mapping.dmp

Download
memory/4536-140-0x0000000000000000-mapping.dmp

Download
memory/4636-157-0x0000000000000000-mapping.dmp

Download
memory/4644-145-0x0000000000000000-mapping.dmp

Download
memory/4896-159-0x0000000000000000-mapping.dmp

Download
memory/4992-136-0x0000000000000000-mapping.dmp

Download
memory/5044-153-0x0000000000000000-mapping.dmp

Download