a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41

Analysis

max time kernel
91s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
08-11-2022 08:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe
Size

72KB
MD5

034a5d389fc637d08c53eb0b683f1e81
SHA1

86b0b3bd1a6cb3a4d4920206760874db099e4957
SHA256

a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41
SHA512

da3d9ef91e1a8cb205c67ae5b6489bee5455c0156d58ff8f2c771c70b140b050bf39bf5c61c8f79fc12a3b4628ee0a9417f954aa5bf87f82c3e7d93d21aa667e
SSDEEP

768:uVQhM1eScdD6f9iqDik9GG3OY8AYv1ahGMgZlvL3B6oM/Jv3QOhiD17OnWbMSu4t:uVQhccdDCFBM1a8B6oM/JP4PKTU

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

takeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exe

pid	process
1584	takeown.exe
2416	icacls.exe
4328	icacls.exe
3596	takeown.exe
628	icacls.exe
3432	takeown.exe
2768	icacls.exe
1756	icacls.exe
4568	icacls.exe
2236	icacls.exe
4108	takeown.exe
4156	takeown.exe
2412	icacls.exe
1020	icacls.exe
3196	icacls.exe
1880	takeown.exe
4500	takeown.exe
2128	icacls.exe
1344	takeown.exe
1308	takeown.exe
912	takeown.exe
3996	icacls.exe
1748	icacls.exe
4624	takeown.exe
1436	icacls.exe
3172	icacls.exe
1708	takeown.exe
2336	takeown.exe
3808	takeown.exe
3832	icacls.exe
4164	icacls.exe
1052	takeown.exe
4724	takeown.exe
2924	takeown.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exe

pid	process
1880	takeown.exe
3832	icacls.exe
3432	takeown.exe
2768	icacls.exe
4624	takeown.exe
628	icacls.exe
1584	takeown.exe
4328	icacls.exe
2236	icacls.exe
4108	takeown.exe
2924	takeown.exe
1756	icacls.exe
1344	takeown.exe
4568	icacls.exe
2336	takeown.exe
2416	icacls.exe
4500	takeown.exe
4164	icacls.exe
4156	takeown.exe
1052	takeown.exe
2128	icacls.exe
1708	takeown.exe
3196	icacls.exe
3172	icacls.exe
2412	icacls.exe
3996	icacls.exe
1436	icacls.exe
1308	takeown.exe
1748	icacls.exe
912	takeown.exe
3596	takeown.exe
4724	takeown.exe
1020	icacls.exe
3808	takeown.exe

Drops file in System32 directory 6 IoCs

Processes:

a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\ftp.exe	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe
File created	C:\Windows\SysWOW64\axqep.exe	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe
File opened for modification	C:\Windows\SysWOW64\axqep.exe	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3432	takeown.exe
Token: SeTakeOwnershipPrivilege	1344	takeown.exe
Token: SeTakeOwnershipPrivilege	1584	takeown.exe
Token: SeTakeOwnershipPrivilege	1708	takeown.exe
Token: SeTakeOwnershipPrivilege	1308	takeown.exe
Token: SeTakeOwnershipPrivilege	2336	takeown.exe
Token: SeTakeOwnershipPrivilege	4108	takeown.exe
Token: SeTakeOwnershipPrivilege	4724	takeown.exe
Token: SeTakeOwnershipPrivilege	1880	takeown.exe
Token: SeTakeOwnershipPrivilege	2924	takeown.exe
Token: SeTakeOwnershipPrivilege	3808	takeown.exe
Token: SeTakeOwnershipPrivilege	4500	takeown.exe
Token: SeTakeOwnershipPrivilege	4624	takeown.exe
Token: SeTakeOwnershipPrivilege	912	takeown.exe
Token: SeTakeOwnershipPrivilege	3596	takeown.exe
Token: SeTakeOwnershipPrivilege	4156	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe

pid process

5064 a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe

pid	process
5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe

description	pid	process	target process
PID 5064 wrote to memory of 1052	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	takeown.exe
PID 5064 wrote to memory of 1052	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	takeown.exe
PID 5064 wrote to memory of 1052	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	takeown.exe
PID 5064 wrote to memory of 628	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	icacls.exe
PID 5064 wrote to memory of 628	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	icacls.exe
PID 5064 wrote to memory of 628	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	icacls.exe
PID 5064 wrote to memory of 3432	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	takeown.exe
PID 5064 wrote to memory of 3432	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	takeown.exe
PID 5064 wrote to memory of 3432	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	takeown.exe
PID 5064 wrote to memory of 2128	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	icacls.exe
PID 5064 wrote to memory of 2128	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	icacls.exe
PID 5064 wrote to memory of 2128	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	icacls.exe
PID 5064 wrote to memory of 1344	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	takeown.exe
PID 5064 wrote to memory of 1344	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	takeown.exe
PID 5064 wrote to memory of 1344	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	takeown.exe
PID 5064 wrote to memory of 3172	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	icacls.exe
PID 5064 wrote to memory of 3172	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	icacls.exe
PID 5064 wrote to memory of 3172	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	icacls.exe
PID 5064 wrote to memory of 1584	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	takeown.exe
PID 5064 wrote to memory of 1584	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	takeown.exe
PID 5064 wrote to memory of 1584	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	takeown.exe
PID 5064 wrote to memory of 2412	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	icacls.exe
PID 5064 wrote to memory of 2412	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	icacls.exe
PID 5064 wrote to memory of 2412	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	icacls.exe
PID 5064 wrote to memory of 1708	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	takeown.exe
PID 5064 wrote to memory of 1708	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	takeown.exe
PID 5064 wrote to memory of 1708	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	takeown.exe
PID 5064 wrote to memory of 3996	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	icacls.exe
PID 5064 wrote to memory of 3996	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	icacls.exe
PID 5064 wrote to memory of 3996	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	icacls.exe
PID 5064 wrote to memory of 1308	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	takeown.exe
PID 5064 wrote to memory of 1308	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	takeown.exe
PID 5064 wrote to memory of 1308	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	takeown.exe
PID 5064 wrote to memory of 4568	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	icacls.exe
PID 5064 wrote to memory of 4568	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	icacls.exe
PID 5064 wrote to memory of 4568	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	icacls.exe
PID 5064 wrote to memory of 2336	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	takeown.exe
PID 5064 wrote to memory of 2336	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	takeown.exe
PID 5064 wrote to memory of 2336	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	takeown.exe
PID 5064 wrote to memory of 2236	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	icacls.exe
PID 5064 wrote to memory of 2236	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	icacls.exe
PID 5064 wrote to memory of 2236	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	icacls.exe
PID 5064 wrote to memory of 4108	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	takeown.exe
PID 5064 wrote to memory of 4108	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	takeown.exe
PID 5064 wrote to memory of 4108	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	takeown.exe
PID 5064 wrote to memory of 2768	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	icacls.exe
PID 5064 wrote to memory of 2768	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	icacls.exe
PID 5064 wrote to memory of 2768	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	icacls.exe
PID 5064 wrote to memory of 4724	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	takeown.exe
PID 5064 wrote to memory of 4724	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	takeown.exe
PID 5064 wrote to memory of 4724	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	takeown.exe
PID 5064 wrote to memory of 1020	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	icacls.exe
PID 5064 wrote to memory of 1020	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	icacls.exe
PID 5064 wrote to memory of 1020	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	icacls.exe
PID 5064 wrote to memory of 1880	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	takeown.exe
PID 5064 wrote to memory of 1880	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	takeown.exe
PID 5064 wrote to memory of 1880	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	takeown.exe
PID 5064 wrote to memory of 2416	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	icacls.exe
PID 5064 wrote to memory of 2416	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	icacls.exe
PID 5064 wrote to memory of 2416	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	icacls.exe
PID 5064 wrote to memory of 2924	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	takeown.exe
PID 5064 wrote to memory of 2924	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	takeown.exe
PID 5064 wrote to memory of 2924	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	takeown.exe
PID 5064 wrote to memory of 1748	5064	a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe
"C:\Users\Admin\AppData\Local\Temp\a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Windows\SysWOW64\takeown.exe
  C:\Windows\system32\takeown.exe /f "C:\Windows\system32\axqep.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1052
- C:\Windows\SysWOW64\icacls.exe
  C:\Windows\system32\icacls.exe "C:\Windows\system32\axqep.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:628
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\cmd.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:3432
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2128
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\cmd.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1344
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3172
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\ftp.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2412
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\ftp.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1708
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3996
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\wscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1308
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4568
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\wscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2236
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\cscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4108
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2768
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\cscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4724
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1020
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1880
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2416
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1748
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:3808
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3832
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4500
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4328
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4624
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3196
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:912
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4164
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:3596
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1436
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4156
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\axqep.exe

Filesize
72KB

MD5
034a5d389fc637d08c53eb0b683f1e81

SHA1
86b0b3bd1a6cb3a4d4920206760874db099e4957

SHA256
a7da6aed7b37d407c180f59010e8633efd05bc697631a3c30d21f6d7abcf4b41

SHA512
da3d9ef91e1a8cb205c67ae5b6489bee5455c0156d58ff8f2c771c70b140b050bf39bf5c61c8f79fc12a3b4628ee0a9417f954aa5bf87f82c3e7d93d21aa667e

Download Submit
memory/628-136-0x0000000000000000-mapping.dmp

Download
memory/912-163-0x0000000000000000-mapping.dmp

Download
memory/1020-152-0x0000000000000000-mapping.dmp

Download
memory/1052-134-0x0000000000000000-mapping.dmp

Download
memory/1308-145-0x0000000000000000-mapping.dmp

Download
memory/1344-139-0x0000000000000000-mapping.dmp

Download
memory/1436-166-0x0000000000000000-mapping.dmp

Download
memory/1584-141-0x0000000000000000-mapping.dmp

Download
memory/1708-143-0x0000000000000000-mapping.dmp

Download
memory/1748-156-0x0000000000000000-mapping.dmp

Download
memory/1756-168-0x0000000000000000-mapping.dmp

Download
memory/1880-153-0x0000000000000000-mapping.dmp

Download
memory/2128-138-0x0000000000000000-mapping.dmp

Download
memory/2236-148-0x0000000000000000-mapping.dmp

Download
memory/2336-147-0x0000000000000000-mapping.dmp

Download
memory/2412-142-0x0000000000000000-mapping.dmp

Download
memory/2416-154-0x0000000000000000-mapping.dmp

Download
memory/2768-150-0x0000000000000000-mapping.dmp

Download
memory/2924-155-0x0000000000000000-mapping.dmp

Download
memory/3172-140-0x0000000000000000-mapping.dmp

Download
memory/3196-162-0x0000000000000000-mapping.dmp

Download
memory/3432-137-0x0000000000000000-mapping.dmp

Download
memory/3596-165-0x0000000000000000-mapping.dmp

Download
memory/3808-157-0x0000000000000000-mapping.dmp

Download
memory/3832-158-0x0000000000000000-mapping.dmp

Download
memory/3996-144-0x0000000000000000-mapping.dmp

Download
memory/4108-149-0x0000000000000000-mapping.dmp

Download
memory/4156-167-0x0000000000000000-mapping.dmp

Download
memory/4164-164-0x0000000000000000-mapping.dmp

Download
memory/4328-160-0x0000000000000000-mapping.dmp

Download
memory/4500-159-0x0000000000000000-mapping.dmp

Download
memory/4568-146-0x0000000000000000-mapping.dmp

Download
memory/4624-161-0x0000000000000000-mapping.dmp

Download
memory/4724-151-0x0000000000000000-mapping.dmp

Download