68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf

Analysis

max time kernel
144s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe
Size

68KB
MD5

0c5b142e4185e130b90411ec1392b0a1
SHA1

11880fc4b89758d1a98e74945ae3db3fbd71a01d
SHA256

68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf
SHA512

4a7dc982fb28f8cf404f31243a8d6c99da5273a51583ca67506dd845ee086efc0b2d6008c3825d5110def099ece35e1c0479f343171fa1d5cbf9e40ccf5c2ae9
SSDEEP

768:4DJXk7lSA2SoPfT3Dw8qLsytLA575ztRIvzeSJQJIWtEZVn1mZbvH1ogHlhcWSQI:4CgOs0cbCe3RS18lhco/Q

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

icacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exe

pid	process
3936	icacls.exe
3572	takeown.exe
1552	takeown.exe
2464	icacls.exe
2224	takeown.exe
360	icacls.exe
4328	icacls.exe
448	takeown.exe
3948	icacls.exe
4256	icacls.exe
32	takeown.exe
4752	takeown.exe
4076	takeown.exe
2392	takeown.exe
4856	takeown.exe
3880	icacls.exe
5052	takeown.exe
896	icacls.exe
368	icacls.exe
4112	icacls.exe
5012	icacls.exe
4556	takeown.exe
4140	icacls.exe
1352	icacls.exe
4612	takeown.exe
884	icacls.exe
2784	icacls.exe
5076	takeown.exe
4404	icacls.exe
3260	takeown.exe
4444	takeown.exe
552	icacls.exe
3472	takeown.exe
2684	takeown.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid	process
4112	icacls.exe
4140	icacls.exe
884	icacls.exe
3572	takeown.exe
3948	icacls.exe
5012	icacls.exe
2464	icacls.exe
3472	takeown.exe
4404	icacls.exe
2684	takeown.exe
4856	takeown.exe
32	takeown.exe
4612	takeown.exe
896	icacls.exe
2784	icacls.exe
5052	takeown.exe
4752	takeown.exe
5076	takeown.exe
4328	icacls.exe
3936	icacls.exe
4444	takeown.exe
360	icacls.exe
4556	takeown.exe
3260	takeown.exe
552	icacls.exe
4256	icacls.exe
2392	takeown.exe
448	takeown.exe
3880	icacls.exe
2224	takeown.exe
1552	takeown.exe
368	icacls.exe
4076	takeown.exe
1352	icacls.exe

Drops file in System32 directory 6 IoCs

Processes:

68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\cmd.exe	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe
File created	C:\Windows\SysWOW64\dzlh.exe	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe
File opened for modification	C:\Windows\SysWOW64\dzlh.exe	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3260	takeown.exe
Token: SeTakeOwnershipPrivilege	32	takeown.exe
Token: SeTakeOwnershipPrivilege	4612	takeown.exe
Token: SeTakeOwnershipPrivilege	5052	takeown.exe
Token: SeTakeOwnershipPrivilege	3572	takeown.exe
Token: SeTakeOwnershipPrivilege	2224	takeown.exe
Token: SeTakeOwnershipPrivilege	4444	takeown.exe
Token: SeTakeOwnershipPrivilege	1552	takeown.exe
Token: SeTakeOwnershipPrivilege	4752	takeown.exe
Token: SeTakeOwnershipPrivilege	3472	takeown.exe
Token: SeTakeOwnershipPrivilege	5076	takeown.exe
Token: SeTakeOwnershipPrivilege	4076	takeown.exe
Token: SeTakeOwnershipPrivilege	2392	takeown.exe
Token: SeTakeOwnershipPrivilege	2684	takeown.exe
Token: SeTakeOwnershipPrivilege	4856	takeown.exe
Token: SeTakeOwnershipPrivilege	4556	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe

pid process

4824 68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe

pid	process
4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe

description	pid	process	target process
PID 4824 wrote to memory of 448	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	takeown.exe
PID 4824 wrote to memory of 448	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	takeown.exe
PID 4824 wrote to memory of 448	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	takeown.exe
PID 4824 wrote to memory of 4112	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	icacls.exe
PID 4824 wrote to memory of 4112	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	icacls.exe
PID 4824 wrote to memory of 4112	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	icacls.exe
PID 4824 wrote to memory of 3260	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	takeown.exe
PID 4824 wrote to memory of 3260	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	takeown.exe
PID 4824 wrote to memory of 3260	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	takeown.exe
PID 4824 wrote to memory of 5012	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	icacls.exe
PID 4824 wrote to memory of 5012	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	icacls.exe
PID 4824 wrote to memory of 5012	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	icacls.exe
PID 4824 wrote to memory of 32	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	takeown.exe
PID 4824 wrote to memory of 32	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	takeown.exe
PID 4824 wrote to memory of 32	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	takeown.exe
PID 4824 wrote to memory of 3880	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	icacls.exe
PID 4824 wrote to memory of 3880	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	icacls.exe
PID 4824 wrote to memory of 3880	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	icacls.exe
PID 4824 wrote to memory of 4612	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	takeown.exe
PID 4824 wrote to memory of 4612	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	takeown.exe
PID 4824 wrote to memory of 4612	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	takeown.exe
PID 4824 wrote to memory of 3936	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	icacls.exe
PID 4824 wrote to memory of 3936	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	icacls.exe
PID 4824 wrote to memory of 3936	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	icacls.exe
PID 4824 wrote to memory of 5052	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	takeown.exe
PID 4824 wrote to memory of 5052	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	takeown.exe
PID 4824 wrote to memory of 5052	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	takeown.exe
PID 4824 wrote to memory of 884	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	icacls.exe
PID 4824 wrote to memory of 884	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	icacls.exe
PID 4824 wrote to memory of 884	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	icacls.exe
PID 4824 wrote to memory of 3572	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	takeown.exe
PID 4824 wrote to memory of 3572	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	takeown.exe
PID 4824 wrote to memory of 3572	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	takeown.exe
PID 4824 wrote to memory of 2464	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	icacls.exe
PID 4824 wrote to memory of 2464	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	icacls.exe
PID 4824 wrote to memory of 2464	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	icacls.exe
PID 4824 wrote to memory of 2224	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	takeown.exe
PID 4824 wrote to memory of 2224	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	takeown.exe
PID 4824 wrote to memory of 2224	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	takeown.exe
PID 4824 wrote to memory of 896	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	icacls.exe
PID 4824 wrote to memory of 896	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	icacls.exe
PID 4824 wrote to memory of 896	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	icacls.exe
PID 4824 wrote to memory of 4444	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	takeown.exe
PID 4824 wrote to memory of 4444	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	takeown.exe
PID 4824 wrote to memory of 4444	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	takeown.exe
PID 4824 wrote to memory of 2784	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	icacls.exe
PID 4824 wrote to memory of 2784	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	icacls.exe
PID 4824 wrote to memory of 2784	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	icacls.exe
PID 4824 wrote to memory of 1552	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	takeown.exe
PID 4824 wrote to memory of 1552	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	takeown.exe
PID 4824 wrote to memory of 1552	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	takeown.exe
PID 4824 wrote to memory of 3948	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	icacls.exe
PID 4824 wrote to memory of 3948	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	icacls.exe
PID 4824 wrote to memory of 3948	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	icacls.exe
PID 4824 wrote to memory of 4752	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	takeown.exe
PID 4824 wrote to memory of 4752	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	takeown.exe
PID 4824 wrote to memory of 4752	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	takeown.exe
PID 4824 wrote to memory of 552	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	icacls.exe
PID 4824 wrote to memory of 552	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	icacls.exe
PID 4824 wrote to memory of 552	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	icacls.exe
PID 4824 wrote to memory of 3472	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	takeown.exe
PID 4824 wrote to memory of 3472	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	takeown.exe
PID 4824 wrote to memory of 3472	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	takeown.exe
PID 4824 wrote to memory of 368	4824	68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe
"C:\Users\Admin\AppData\Local\Temp\68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Windows\SysWOW64\takeown.exe
  C:\Windows\system32\takeown.exe /f "C:\Windows\system32\dzlh.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:448
- C:\Windows\SysWOW64\icacls.exe
  C:\Windows\system32\icacls.exe "C:\Windows\system32\dzlh.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4112
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\cmd.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:3260
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5012
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\cmd.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:32
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3880
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\ftp.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4612
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3936
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\ftp.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:5052
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:884
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\wscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:3572
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2464
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\wscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:896
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\cscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4444
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2784
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\cscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1552
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3948
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4752
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:552
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:3472
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:368
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:5076
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4256
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4076
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:360
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4404
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1352
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4856
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4328
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4556
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\dzlh.exe

Filesize
68KB

MD5
0c5b142e4185e130b90411ec1392b0a1

SHA1
11880fc4b89758d1a98e74945ae3db3fbd71a01d

SHA256
68a1e51af03c1bf76aa2d388249819f3b5c519dcc6c9eefeaec85af16d15cfbf

SHA512
4a7dc982fb28f8cf404f31243a8d6c99da5273a51583ca67506dd845ee086efc0b2d6008c3825d5110def099ece35e1c0479f343171fa1d5cbf9e40ccf5c2ae9

Download Submit
memory/32-139-0x0000000000000000-mapping.dmp

Download
memory/360-160-0x0000000000000000-mapping.dmp

Download
memory/368-156-0x0000000000000000-mapping.dmp

Download
memory/448-134-0x0000000000000000-mapping.dmp

Download
memory/552-154-0x0000000000000000-mapping.dmp

Download
memory/884-144-0x0000000000000000-mapping.dmp

Download
memory/896-148-0x0000000000000000-mapping.dmp

Download
memory/1352-164-0x0000000000000000-mapping.dmp

Download
memory/1552-151-0x0000000000000000-mapping.dmp

Download
memory/2224-147-0x0000000000000000-mapping.dmp

Download
memory/2392-161-0x0000000000000000-mapping.dmp

Download
memory/2464-146-0x0000000000000000-mapping.dmp

Download
memory/2684-163-0x0000000000000000-mapping.dmp

Download
memory/2784-150-0x0000000000000000-mapping.dmp

Download
memory/3260-137-0x0000000000000000-mapping.dmp

Download
memory/3472-155-0x0000000000000000-mapping.dmp

Download
memory/3572-145-0x0000000000000000-mapping.dmp

Download
memory/3880-140-0x0000000000000000-mapping.dmp

Download
memory/3936-142-0x0000000000000000-mapping.dmp

Download
memory/3948-152-0x0000000000000000-mapping.dmp

Download
memory/4076-159-0x0000000000000000-mapping.dmp

Download
memory/4112-136-0x0000000000000000-mapping.dmp

Download
memory/4140-168-0x0000000000000000-mapping.dmp

Download
memory/4256-158-0x0000000000000000-mapping.dmp

Download
memory/4328-166-0x0000000000000000-mapping.dmp

Download
memory/4404-162-0x0000000000000000-mapping.dmp

Download
memory/4444-149-0x0000000000000000-mapping.dmp

Download
memory/4556-167-0x0000000000000000-mapping.dmp

Download
memory/4612-141-0x0000000000000000-mapping.dmp

Download
memory/4752-153-0x0000000000000000-mapping.dmp

Download
memory/4856-165-0x0000000000000000-mapping.dmp

Download
memory/5012-138-0x0000000000000000-mapping.dmp

Download
memory/5052-143-0x0000000000000000-mapping.dmp

Download
memory/5076-157-0x0000000000000000-mapping.dmp

Download