Analysis
-
max time kernel
148s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
19-11-2022 00:10
Static task
static1
Behavioral task
behavioral1
Sample
3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe
Resource
win7-20221111-en
General
-
Target
3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe
-
Size
68KB
-
MD5
081e05e6392b1b028d2c76abab626976
-
SHA1
b71fe920748230c5a6aa6e43148a66c35ecdb4ed
-
SHA256
3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598
-
SHA512
f091a0171a14e1f15261a0d03b45e792510581b2b21e8523b57aabda2fb7b8b5a68db366588ee6f8a5e1e871fa5e4fc7c9e6c8a9eb2349a266087810217021e1
-
SSDEEP
768:pmGVD7IqdoTouRxKuuDGIwJ5w8WMIlxAig4Gvx04COYKGgX1Uy5muXI:zD7vEIK1Ilx/yWglUy5m4I
Malware Config
Signatures
-
Possible privilege escalation attempt 34 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exepid process 4756 icacls.exe 4348 icacls.exe 3364 icacls.exe 944 icacls.exe 3968 icacls.exe 1952 takeown.exe 5040 icacls.exe 4792 takeown.exe 4372 icacls.exe 616 icacls.exe 1860 takeown.exe 1120 icacls.exe 4524 takeown.exe 4588 takeown.exe 2792 icacls.exe 1860 icacls.exe 1384 takeown.exe 3140 takeown.exe 3264 takeown.exe 1044 icacls.exe 4840 takeown.exe 332 icacls.exe 2412 takeown.exe 4796 takeown.exe 4520 icacls.exe 3832 takeown.exe 2160 takeown.exe 4028 icacls.exe 2100 takeown.exe 2344 takeown.exe 1904 icacls.exe 4524 icacls.exe 4260 takeown.exe 4988 takeown.exe -
Modifies file permissions 1 TTPs 34 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exepid process 4260 takeown.exe 1860 takeown.exe 4796 takeown.exe 3264 takeown.exe 4372 icacls.exe 332 icacls.exe 4588 takeown.exe 2792 icacls.exe 3832 takeown.exe 1120 icacls.exe 1860 icacls.exe 2344 takeown.exe 2100 takeown.exe 1904 icacls.exe 1952 takeown.exe 4756 icacls.exe 5040 icacls.exe 1384 takeown.exe 1044 icacls.exe 3968 icacls.exe 4840 takeown.exe 3140 takeown.exe 2412 takeown.exe 944 icacls.exe 4520 icacls.exe 4348 icacls.exe 2160 takeown.exe 4028 icacls.exe 4792 takeown.exe 616 icacls.exe 4524 takeown.exe 4988 takeown.exe 4524 icacls.exe 3364 icacls.exe -
Drops file in System32 directory 6 IoCs
Processes:
3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exedescription ioc process File opened for modification C:\Windows\SysWOW64\ftp.exe 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe File opened for modification C:\Windows\SysWOW64\wscript.exe 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe File opened for modification C:\Windows\SysWOW64\cscript.exe 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe File created C:\Windows\SysWOW64\tdavx.exe 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe File opened for modification C:\Windows\SysWOW64\tdavx.exe 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe File opened for modification C:\Windows\SysWOW64\cmd.exe 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 2412 takeown.exe Token: SeTakeOwnershipPrivilege 4524 takeown.exe Token: SeTakeOwnershipPrivilege 4796 takeown.exe Token: SeTakeOwnershipPrivilege 2160 takeown.exe Token: SeTakeOwnershipPrivilege 2344 takeown.exe Token: SeTakeOwnershipPrivilege 4588 takeown.exe Token: SeTakeOwnershipPrivilege 3264 takeown.exe Token: SeTakeOwnershipPrivilege 1384 takeown.exe Token: SeTakeOwnershipPrivilege 4792 takeown.exe Token: SeTakeOwnershipPrivilege 2100 takeown.exe Token: SeTakeOwnershipPrivilege 4840 takeown.exe Token: SeTakeOwnershipPrivilege 3140 takeown.exe Token: SeTakeOwnershipPrivilege 3832 takeown.exe Token: SeTakeOwnershipPrivilege 4988 takeown.exe Token: SeTakeOwnershipPrivilege 1860 takeown.exe Token: SeTakeOwnershipPrivilege 1952 takeown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exepid process 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exedescription pid process target process PID 2552 wrote to memory of 4260 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe takeown.exe PID 2552 wrote to memory of 4260 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe takeown.exe PID 2552 wrote to memory of 4260 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe takeown.exe PID 2552 wrote to memory of 1120 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe icacls.exe PID 2552 wrote to memory of 1120 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe icacls.exe PID 2552 wrote to memory of 1120 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe icacls.exe PID 2552 wrote to memory of 2412 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe takeown.exe PID 2552 wrote to memory of 2412 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe takeown.exe PID 2552 wrote to memory of 2412 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe takeown.exe PID 2552 wrote to memory of 944 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe icacls.exe PID 2552 wrote to memory of 944 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe icacls.exe PID 2552 wrote to memory of 944 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe icacls.exe PID 2552 wrote to memory of 4524 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe takeown.exe PID 2552 wrote to memory of 4524 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe takeown.exe PID 2552 wrote to memory of 4524 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe takeown.exe PID 2552 wrote to memory of 1860 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe icacls.exe PID 2552 wrote to memory of 1860 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe icacls.exe PID 2552 wrote to memory of 1860 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe icacls.exe PID 2552 wrote to memory of 4796 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe takeown.exe PID 2552 wrote to memory of 4796 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe takeown.exe PID 2552 wrote to memory of 4796 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe takeown.exe PID 2552 wrote to memory of 4756 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe icacls.exe PID 2552 wrote to memory of 4756 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe icacls.exe PID 2552 wrote to memory of 4756 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe icacls.exe PID 2552 wrote to memory of 2160 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe takeown.exe PID 2552 wrote to memory of 2160 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe takeown.exe PID 2552 wrote to memory of 2160 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe takeown.exe PID 2552 wrote to memory of 4520 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe icacls.exe PID 2552 wrote to memory of 4520 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe icacls.exe PID 2552 wrote to memory of 4520 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe icacls.exe PID 2552 wrote to memory of 2344 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe takeown.exe PID 2552 wrote to memory of 2344 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe takeown.exe PID 2552 wrote to memory of 2344 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe takeown.exe PID 2552 wrote to memory of 4348 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe icacls.exe PID 2552 wrote to memory of 4348 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe icacls.exe PID 2552 wrote to memory of 4348 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe icacls.exe PID 2552 wrote to memory of 4588 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe takeown.exe PID 2552 wrote to memory of 4588 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe takeown.exe PID 2552 wrote to memory of 4588 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe takeown.exe PID 2552 wrote to memory of 5040 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe icacls.exe PID 2552 wrote to memory of 5040 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe icacls.exe PID 2552 wrote to memory of 5040 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe icacls.exe PID 2552 wrote to memory of 3264 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe takeown.exe PID 2552 wrote to memory of 3264 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe takeown.exe PID 2552 wrote to memory of 3264 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe takeown.exe PID 2552 wrote to memory of 4028 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe icacls.exe PID 2552 wrote to memory of 4028 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe icacls.exe PID 2552 wrote to memory of 4028 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe icacls.exe PID 2552 wrote to memory of 1384 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe takeown.exe PID 2552 wrote to memory of 1384 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe takeown.exe PID 2552 wrote to memory of 1384 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe takeown.exe PID 2552 wrote to memory of 1044 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe icacls.exe PID 2552 wrote to memory of 1044 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe icacls.exe PID 2552 wrote to memory of 1044 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe icacls.exe PID 2552 wrote to memory of 4792 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe takeown.exe PID 2552 wrote to memory of 4792 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe takeown.exe PID 2552 wrote to memory of 4792 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe takeown.exe PID 2552 wrote to memory of 4372 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe icacls.exe PID 2552 wrote to memory of 4372 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe icacls.exe PID 2552 wrote to memory of 4372 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe icacls.exe PID 2552 wrote to memory of 2100 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe takeown.exe PID 2552 wrote to memory of 2100 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe takeown.exe PID 2552 wrote to memory of 2100 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe takeown.exe PID 2552 wrote to memory of 3968 2552 3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe"C:\Users\Admin\AppData\Local\Temp\3940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "C:\Windows\system32\tdavx.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\system32\tdavx.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\tdavx.exeFilesize
68KB
MD5081e05e6392b1b028d2c76abab626976
SHA1b71fe920748230c5a6aa6e43148a66c35ecdb4ed
SHA2563940afe5809a5580f7a57c5b69df4338aa61155faad5c7a523a130ec6517b598
SHA512f091a0171a14e1f15261a0d03b45e792510581b2b21e8523b57aabda2fb7b8b5a68db366588ee6f8a5e1e871fa5e4fc7c9e6c8a9eb2349a266087810217021e1
-
memory/332-162-0x0000000000000000-mapping.dmp
-
memory/616-160-0x0000000000000000-mapping.dmp
-
memory/944-138-0x0000000000000000-mapping.dmp
-
memory/1044-152-0x0000000000000000-mapping.dmp
-
memory/1120-136-0x0000000000000000-mapping.dmp
-
memory/1384-151-0x0000000000000000-mapping.dmp
-
memory/1860-165-0x0000000000000000-mapping.dmp
-
memory/1860-140-0x0000000000000000-mapping.dmp
-
memory/1904-158-0x0000000000000000-mapping.dmp
-
memory/1952-167-0x0000000000000000-mapping.dmp
-
memory/2100-155-0x0000000000000000-mapping.dmp
-
memory/2160-143-0x0000000000000000-mapping.dmp
-
memory/2344-145-0x0000000000000000-mapping.dmp
-
memory/2412-137-0x0000000000000000-mapping.dmp
-
memory/2792-166-0x0000000000000000-mapping.dmp
-
memory/3140-159-0x0000000000000000-mapping.dmp
-
memory/3264-149-0x0000000000000000-mapping.dmp
-
memory/3364-168-0x0000000000000000-mapping.dmp
-
memory/3832-161-0x0000000000000000-mapping.dmp
-
memory/3968-156-0x0000000000000000-mapping.dmp
-
memory/4028-150-0x0000000000000000-mapping.dmp
-
memory/4260-134-0x0000000000000000-mapping.dmp
-
memory/4348-146-0x0000000000000000-mapping.dmp
-
memory/4372-154-0x0000000000000000-mapping.dmp
-
memory/4520-144-0x0000000000000000-mapping.dmp
-
memory/4524-164-0x0000000000000000-mapping.dmp
-
memory/4524-139-0x0000000000000000-mapping.dmp
-
memory/4588-147-0x0000000000000000-mapping.dmp
-
memory/4756-142-0x0000000000000000-mapping.dmp
-
memory/4792-153-0x0000000000000000-mapping.dmp
-
memory/4796-141-0x0000000000000000-mapping.dmp
-
memory/4840-157-0x0000000000000000-mapping.dmp
-
memory/4988-163-0x0000000000000000-mapping.dmp
-
memory/5040-148-0x0000000000000000-mapping.dmp