Analysis
-
max time kernel
153s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
19-11-2022 07:15
Static task
static1
Behavioral task
behavioral1
Sample
800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe
Resource
win7-20221111-en
General
-
Target
800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe
-
Size
72KB
-
MD5
096325d737bd6b67b2ca435ad6426be1
-
SHA1
0404febbc135b17bace80cf7d945e3b6c89b7607
-
SHA256
800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec
-
SHA512
4e213551524704883242ed8d3ffb37dfab7a6f65f67e9ef64831f1866dee3b7e672d68477271985f11ed12d18ba66ac9760e376e3265221da83e4e551d446724
-
SSDEEP
768:I9r9B4F/P3GFUfOLSdFbO0WA6NeqOA398Pg/dewX6yDUgsId2DzjVdGEXi6:IPB4NP/dg0ANM9TymvzjLNH
Malware Config
Signatures
-
Possible privilege escalation attempt 34 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exepid process 1504 takeown.exe 4532 icacls.exe 5068 takeown.exe 5020 icacls.exe 3856 icacls.exe 2560 icacls.exe 5036 takeown.exe 3180 icacls.exe 504 takeown.exe 2472 takeown.exe 4832 takeown.exe 848 icacls.exe 1368 takeown.exe 4220 takeown.exe 1656 takeown.exe 4684 takeown.exe 4344 icacls.exe 4196 takeown.exe 3564 icacls.exe 1756 icacls.exe 4124 icacls.exe 1820 icacls.exe 756 icacls.exe 3124 takeown.exe 1048 icacls.exe 3444 takeown.exe 1780 takeown.exe 5008 takeown.exe 1444 icacls.exe 2424 icacls.exe 3960 takeown.exe 1184 takeown.exe 976 icacls.exe 1952 icacls.exe -
Modifies file permissions 1 TTPs 34 IoCs
Processes:
icacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exepid process 1444 icacls.exe 2560 icacls.exe 1656 takeown.exe 3444 takeown.exe 5020 icacls.exe 1952 icacls.exe 1780 takeown.exe 1048 icacls.exe 5036 takeown.exe 1820 icacls.exe 3564 icacls.exe 4532 icacls.exe 1756 icacls.exe 2424 icacls.exe 3960 takeown.exe 3180 icacls.exe 1184 takeown.exe 5008 takeown.exe 3856 icacls.exe 1504 takeown.exe 4684 takeown.exe 976 icacls.exe 4124 icacls.exe 4196 takeown.exe 1368 takeown.exe 4220 takeown.exe 756 icacls.exe 3124 takeown.exe 5068 takeown.exe 504 takeown.exe 4344 icacls.exe 2472 takeown.exe 4832 takeown.exe 848 icacls.exe -
Drops file in System32 directory 6 IoCs
Processes:
800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exedescription ioc process File opened for modification C:\Windows\SysWOW64\wscript.exe 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe File opened for modification C:\Windows\SysWOW64\cscript.exe 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe File created C:\Windows\SysWOW64\xdxez.exe 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe File opened for modification C:\Windows\SysWOW64\xdxez.exe 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe File opened for modification C:\Windows\SysWOW64\cmd.exe 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe File opened for modification C:\Windows\SysWOW64\ftp.exe 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 504 takeown.exe Token: SeTakeOwnershipPrivilege 2472 takeown.exe Token: SeTakeOwnershipPrivilege 1780 takeown.exe Token: SeTakeOwnershipPrivilege 5008 takeown.exe Token: SeTakeOwnershipPrivilege 1368 takeown.exe Token: SeTakeOwnershipPrivilege 4196 takeown.exe Token: SeTakeOwnershipPrivilege 4220 takeown.exe Token: SeTakeOwnershipPrivilege 1656 takeown.exe Token: SeTakeOwnershipPrivilege 1504 takeown.exe Token: SeTakeOwnershipPrivilege 3960 takeown.exe Token: SeTakeOwnershipPrivilege 5036 takeown.exe Token: SeTakeOwnershipPrivilege 3444 takeown.exe Token: SeTakeOwnershipPrivilege 4684 takeown.exe Token: SeTakeOwnershipPrivilege 3124 takeown.exe Token: SeTakeOwnershipPrivilege 5068 takeown.exe Token: SeTakeOwnershipPrivilege 4832 takeown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exepid process 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exedescription pid process target process PID 2692 wrote to memory of 1184 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe takeown.exe PID 2692 wrote to memory of 1184 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe takeown.exe PID 2692 wrote to memory of 1184 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe takeown.exe PID 2692 wrote to memory of 1756 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe icacls.exe PID 2692 wrote to memory of 1756 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe icacls.exe PID 2692 wrote to memory of 1756 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe icacls.exe PID 2692 wrote to memory of 504 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe takeown.exe PID 2692 wrote to memory of 504 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe takeown.exe PID 2692 wrote to memory of 504 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe takeown.exe PID 2692 wrote to memory of 4344 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe icacls.exe PID 2692 wrote to memory of 4344 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe icacls.exe PID 2692 wrote to memory of 4344 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe icacls.exe PID 2692 wrote to memory of 2472 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe takeown.exe PID 2692 wrote to memory of 2472 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe takeown.exe PID 2692 wrote to memory of 2472 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe takeown.exe PID 2692 wrote to memory of 976 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe icacls.exe PID 2692 wrote to memory of 976 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe icacls.exe PID 2692 wrote to memory of 976 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe icacls.exe PID 2692 wrote to memory of 1780 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe takeown.exe PID 2692 wrote to memory of 1780 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe takeown.exe PID 2692 wrote to memory of 1780 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe takeown.exe PID 2692 wrote to memory of 4124 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe icacls.exe PID 2692 wrote to memory of 4124 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe icacls.exe PID 2692 wrote to memory of 4124 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe icacls.exe PID 2692 wrote to memory of 5008 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe takeown.exe PID 2692 wrote to memory of 5008 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe takeown.exe PID 2692 wrote to memory of 5008 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe takeown.exe PID 2692 wrote to memory of 3856 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe icacls.exe PID 2692 wrote to memory of 3856 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe icacls.exe PID 2692 wrote to memory of 3856 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe icacls.exe PID 2692 wrote to memory of 1368 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe takeown.exe PID 2692 wrote to memory of 1368 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe takeown.exe PID 2692 wrote to memory of 1368 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe takeown.exe PID 2692 wrote to memory of 1444 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe icacls.exe PID 2692 wrote to memory of 1444 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe icacls.exe PID 2692 wrote to memory of 1444 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe icacls.exe PID 2692 wrote to memory of 4196 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe takeown.exe PID 2692 wrote to memory of 4196 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe takeown.exe PID 2692 wrote to memory of 4196 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe takeown.exe PID 2692 wrote to memory of 1820 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe icacls.exe PID 2692 wrote to memory of 1820 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe icacls.exe PID 2692 wrote to memory of 1820 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe icacls.exe PID 2692 wrote to memory of 4220 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe takeown.exe PID 2692 wrote to memory of 4220 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe takeown.exe PID 2692 wrote to memory of 4220 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe takeown.exe PID 2692 wrote to memory of 756 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe icacls.exe PID 2692 wrote to memory of 756 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe icacls.exe PID 2692 wrote to memory of 756 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe icacls.exe PID 2692 wrote to memory of 1656 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe takeown.exe PID 2692 wrote to memory of 1656 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe takeown.exe PID 2692 wrote to memory of 1656 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe takeown.exe PID 2692 wrote to memory of 2424 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe icacls.exe PID 2692 wrote to memory of 2424 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe icacls.exe PID 2692 wrote to memory of 2424 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe icacls.exe PID 2692 wrote to memory of 1504 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe takeown.exe PID 2692 wrote to memory of 1504 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe takeown.exe PID 2692 wrote to memory of 1504 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe takeown.exe PID 2692 wrote to memory of 2560 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe icacls.exe PID 2692 wrote to memory of 2560 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe icacls.exe PID 2692 wrote to memory of 2560 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe icacls.exe PID 2692 wrote to memory of 3960 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe takeown.exe PID 2692 wrote to memory of 3960 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe takeown.exe PID 2692 wrote to memory of 3960 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe takeown.exe PID 2692 wrote to memory of 1048 2692 800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe"C:\Users\Admin\AppData\Local\Temp\800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "C:\Windows\system32\xdxez.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1184 -
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\system32\xdxez.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1756 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:504 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4344 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2472 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:976 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1780 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4124 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5008 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3856 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1368 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1444 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4196 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1820 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4220 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:756 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1656 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2424 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1504 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2560 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3960 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1048 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5036 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1952 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3444 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3564 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4684 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3180 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3124 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4532 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5068 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5020 -
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4832 -
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:848
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\xdxez.exeFilesize
72KB
MD5096325d737bd6b67b2ca435ad6426be1
SHA10404febbc135b17bace80cf7d945e3b6c89b7607
SHA256800a2790ba2e88fc64ffc34dbdb8a37b91082ae3c8f37439430adfea29f022ec
SHA5124e213551524704883242ed8d3ffb37dfab7a6f65f67e9ef64831f1866dee3b7e672d68477271985f11ed12d18ba66ac9760e376e3265221da83e4e551d446724
-
memory/504-137-0x0000000000000000-mapping.dmp
-
memory/756-150-0x0000000000000000-mapping.dmp
-
memory/848-168-0x0000000000000000-mapping.dmp
-
memory/976-140-0x0000000000000000-mapping.dmp
-
memory/1048-156-0x0000000000000000-mapping.dmp
-
memory/1184-134-0x0000000000000000-mapping.dmp
-
memory/1368-145-0x0000000000000000-mapping.dmp
-
memory/1444-146-0x0000000000000000-mapping.dmp
-
memory/1504-153-0x0000000000000000-mapping.dmp
-
memory/1656-151-0x0000000000000000-mapping.dmp
-
memory/1756-136-0x0000000000000000-mapping.dmp
-
memory/1780-141-0x0000000000000000-mapping.dmp
-
memory/1820-148-0x0000000000000000-mapping.dmp
-
memory/1952-158-0x0000000000000000-mapping.dmp
-
memory/2424-152-0x0000000000000000-mapping.dmp
-
memory/2472-139-0x0000000000000000-mapping.dmp
-
memory/2560-154-0x0000000000000000-mapping.dmp
-
memory/3124-163-0x0000000000000000-mapping.dmp
-
memory/3180-162-0x0000000000000000-mapping.dmp
-
memory/3444-159-0x0000000000000000-mapping.dmp
-
memory/3564-160-0x0000000000000000-mapping.dmp
-
memory/3856-144-0x0000000000000000-mapping.dmp
-
memory/3960-155-0x0000000000000000-mapping.dmp
-
memory/4124-142-0x0000000000000000-mapping.dmp
-
memory/4196-147-0x0000000000000000-mapping.dmp
-
memory/4220-149-0x0000000000000000-mapping.dmp
-
memory/4344-138-0x0000000000000000-mapping.dmp
-
memory/4532-164-0x0000000000000000-mapping.dmp
-
memory/4684-161-0x0000000000000000-mapping.dmp
-
memory/4832-167-0x0000000000000000-mapping.dmp
-
memory/5008-143-0x0000000000000000-mapping.dmp
-
memory/5020-166-0x0000000000000000-mapping.dmp
-
memory/5036-157-0x0000000000000000-mapping.dmp
-
memory/5068-165-0x0000000000000000-mapping.dmp