e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4

Analysis

max time kernel
90s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe
Size

72KB
MD5

056f96dd83869178cc89db4fc54d6d90
SHA1

b1634bbabcc7da99162eaa98a074b3d2d9795cca
SHA256

e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4
SHA512

4e9a796156938336b53e533c8117781e6f57d74b4d78b3c59762c67e795218a305059cc183e68d3bdc6d314cd3ec62c9a22c674290f4b5b48d7ee3cfcfd35916
SSDEEP

1536:nOLJplNXhB/+IPqtQ18PaFscIePpbeK/CeX6ZmwXCuQJ/p4+:nAJplB/+IStQ19FscIQb3imwXCuKO+

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 34 IoCs

exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exe

pid	process
4436	takeown.exe
3340	icacls.exe
4468	takeown.exe
5068	icacls.exe
888	takeown.exe
2308	icacls.exe
1452	takeown.exe
1672	icacls.exe
3140	icacls.exe
388	takeown.exe
1288	takeown.exe
388	icacls.exe
4108	takeown.exe
4756	icacls.exe
3980	icacls.exe
4592	icacls.exe
3060	icacls.exe
2732	takeown.exe
3252	takeown.exe
1076	takeown.exe
1080	takeown.exe
4772	takeown.exe
1220	icacls.exe
3100	icacls.exe
888	icacls.exe
4180	takeown.exe
1696	takeown.exe
4180	icacls.exe
4892	takeown.exe
2232	takeown.exe
3992	icacls.exe
5112	icacls.exe
2272	takeown.exe
4684	icacls.exe

Modifies file permissions 1 TTPs 34 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exe

pid	process
4892	takeown.exe
4180	takeown.exe
2232	takeown.exe
3060	icacls.exe
2272	takeown.exe
4592	icacls.exe
388	takeown.exe
888	icacls.exe
1076	takeown.exe
3340	icacls.exe
1220	icacls.exe
388	icacls.exe
3992	icacls.exe
1452	takeown.exe
5068	icacls.exe
4684	icacls.exe
4436	takeown.exe
4772	takeown.exe
1288	takeown.exe
4108	takeown.exe
3252	takeown.exe
4468	takeown.exe
2732	takeown.exe
4180	icacls.exe
1696	takeown.exe
3100	icacls.exe
3140	icacls.exe
888	takeown.exe
4756	icacls.exe
2308	icacls.exe
5112	icacls.exe
1672	icacls.exe
3980	icacls.exe
1080	takeown.exe

Drops file in System32 directory 6 IoCs

Processes:

e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\rrkr.exe	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe
File created	C:\Windows\SysWOW64\rrkr.exe	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4892	takeown.exe
Token: SeTakeOwnershipPrivilege	4180	takeown.exe
Token: SeTakeOwnershipPrivilege	888	takeown.exe
Token: SeTakeOwnershipPrivilege	1696	takeown.exe
Token: SeTakeOwnershipPrivilege	1452	takeown.exe
Token: SeTakeOwnershipPrivilege	4436	takeown.exe
Token: SeTakeOwnershipPrivilege	1076	takeown.exe
Token: SeTakeOwnershipPrivilege	2232	takeown.exe
Token: SeTakeOwnershipPrivilege	1080	takeown.exe
Token: SeTakeOwnershipPrivilege	2272	takeown.exe
Token: SeTakeOwnershipPrivilege	4772	takeown.exe
Token: SeTakeOwnershipPrivilege	388	takeown.exe
Token: SeTakeOwnershipPrivilege	4468	takeown.exe
Token: SeTakeOwnershipPrivilege	2732	takeown.exe
Token: SeTakeOwnershipPrivilege	1288	takeown.exe
Token: SeTakeOwnershipPrivilege	4108	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe

pid process

4964 e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe

pid	process
4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe

description	pid	process	target process
PID 4964 wrote to memory of 3252	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	takeown.exe
PID 4964 wrote to memory of 3252	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	takeown.exe
PID 4964 wrote to memory of 3252	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	takeown.exe
PID 4964 wrote to memory of 388	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	icacls.exe
PID 4964 wrote to memory of 388	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	icacls.exe
PID 4964 wrote to memory of 388	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	icacls.exe
PID 4964 wrote to memory of 4892	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	takeown.exe
PID 4964 wrote to memory of 4892	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	takeown.exe
PID 4964 wrote to memory of 4892	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	takeown.exe
PID 4964 wrote to memory of 3992	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	icacls.exe
PID 4964 wrote to memory of 3992	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	icacls.exe
PID 4964 wrote to memory of 3992	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	icacls.exe
PID 4964 wrote to memory of 4180	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	takeown.exe
PID 4964 wrote to memory of 4180	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	takeown.exe
PID 4964 wrote to memory of 4180	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	takeown.exe
PID 4964 wrote to memory of 5068	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	icacls.exe
PID 4964 wrote to memory of 5068	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	icacls.exe
PID 4964 wrote to memory of 5068	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	icacls.exe
PID 4964 wrote to memory of 888	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	takeown.exe
PID 4964 wrote to memory of 888	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	takeown.exe
PID 4964 wrote to memory of 888	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	takeown.exe
PID 4964 wrote to memory of 4756	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	icacls.exe
PID 4964 wrote to memory of 4756	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	icacls.exe
PID 4964 wrote to memory of 4756	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	icacls.exe
PID 4964 wrote to memory of 1696	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	takeown.exe
PID 4964 wrote to memory of 1696	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	takeown.exe
PID 4964 wrote to memory of 1696	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	takeown.exe
PID 4964 wrote to memory of 2308	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	icacls.exe
PID 4964 wrote to memory of 2308	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	icacls.exe
PID 4964 wrote to memory of 2308	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	icacls.exe
PID 4964 wrote to memory of 1452	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	takeown.exe
PID 4964 wrote to memory of 1452	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	takeown.exe
PID 4964 wrote to memory of 1452	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	takeown.exe
PID 4964 wrote to memory of 4684	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	icacls.exe
PID 4964 wrote to memory of 4684	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	icacls.exe
PID 4964 wrote to memory of 4684	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	icacls.exe
PID 4964 wrote to memory of 4436	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	takeown.exe
PID 4964 wrote to memory of 4436	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	takeown.exe
PID 4964 wrote to memory of 4436	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	takeown.exe
PID 4964 wrote to memory of 5112	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	icacls.exe
PID 4964 wrote to memory of 5112	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	icacls.exe
PID 4964 wrote to memory of 5112	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	icacls.exe
PID 4964 wrote to memory of 1076	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	takeown.exe
PID 4964 wrote to memory of 1076	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	takeown.exe
PID 4964 wrote to memory of 1076	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	takeown.exe
PID 4964 wrote to memory of 1672	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	icacls.exe
PID 4964 wrote to memory of 1672	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	icacls.exe
PID 4964 wrote to memory of 1672	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	icacls.exe
PID 4964 wrote to memory of 2232	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	takeown.exe
PID 4964 wrote to memory of 2232	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	takeown.exe
PID 4964 wrote to memory of 2232	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	takeown.exe
PID 4964 wrote to memory of 3980	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	icacls.exe
PID 4964 wrote to memory of 3980	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	icacls.exe
PID 4964 wrote to memory of 3980	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	icacls.exe
PID 4964 wrote to memory of 1080	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	takeown.exe
PID 4964 wrote to memory of 1080	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	takeown.exe
PID 4964 wrote to memory of 1080	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	takeown.exe
PID 4964 wrote to memory of 3340	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	icacls.exe
PID 4964 wrote to memory of 3340	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	icacls.exe
PID 4964 wrote to memory of 3340	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	icacls.exe
PID 4964 wrote to memory of 2272	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	takeown.exe
PID 4964 wrote to memory of 2272	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	takeown.exe
PID 4964 wrote to memory of 2272	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	takeown.exe
PID 4964 wrote to memory of 3140	4964	e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe
"C:\Users\Admin\AppData\Local\Temp\e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Windows\SysWOW64\takeown.exe
  C:\Windows\system32\takeown.exe /f "C:\Windows\system32\rrkr.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3252
- C:\Windows\SysWOW64\icacls.exe
  C:\Windows\system32\icacls.exe "C:\Windows\system32\rrkr.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:388
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\cmd.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4892
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3992
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\cmd.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4180
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5068
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\ftp.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:888
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4756
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\ftp.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1696
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2308
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\wscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1452
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4684
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\wscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4436
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5112
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\cscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1076
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1672
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\System32\cscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2232
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3980
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1080
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3340
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3140
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4772
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4592
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:388
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1220
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4468
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3060
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2732
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3100
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1288
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4180
- C:\Windows\SysWOW64\takeown.exe
  takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4108
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rrkr.exe

Filesize
72KB

MD5
056f96dd83869178cc89db4fc54d6d90

SHA1
b1634bbabcc7da99162eaa98a074b3d2d9795cca

SHA256
e49097e384a29fcd83091e7a0bdbf70033a1fb7ef92d72713d962e06ffe763a4

SHA512
4e9a796156938336b53e533c8117781e6f57d74b4d78b3c59762c67e795218a305059cc183e68d3bdc6d314cd3ec62c9a22c674290f4b5b48d7ee3cfcfd35916

Download Submit
memory/388-139-0x0000000000000000-mapping.dmp

Download
memory/388-162-0x0000000000000000-mapping.dmp

Download
memory/888-171-0x0000000000000000-mapping.dmp

Download
memory/888-144-0x0000000000000000-mapping.dmp

Download
memory/1076-152-0x0000000000000000-mapping.dmp

Download
memory/1080-156-0x0000000000000000-mapping.dmp

Download
memory/1220-163-0x0000000000000000-mapping.dmp

Download
memory/1288-168-0x0000000000000000-mapping.dmp

Download
memory/1452-148-0x0000000000000000-mapping.dmp

Download
memory/1672-153-0x0000000000000000-mapping.dmp

Download
memory/1696-146-0x0000000000000000-mapping.dmp

Download
memory/2232-154-0x0000000000000000-mapping.dmp

Download
memory/2272-158-0x0000000000000000-mapping.dmp

Download
memory/2308-147-0x0000000000000000-mapping.dmp

Download
memory/2732-166-0x0000000000000000-mapping.dmp

Download
memory/3060-165-0x0000000000000000-mapping.dmp

Download
memory/3100-167-0x0000000000000000-mapping.dmp

Download
memory/3140-159-0x0000000000000000-mapping.dmp

Download
memory/3252-137-0x0000000000000000-mapping.dmp

Download
memory/3340-157-0x0000000000000000-mapping.dmp

Download
memory/3980-155-0x0000000000000000-mapping.dmp

Download
memory/3992-141-0x0000000000000000-mapping.dmp

Download
memory/4108-170-0x0000000000000000-mapping.dmp

Download
memory/4180-169-0x0000000000000000-mapping.dmp

Download
memory/4180-142-0x0000000000000000-mapping.dmp

Download
memory/4436-150-0x0000000000000000-mapping.dmp

Download
memory/4468-164-0x0000000000000000-mapping.dmp

Download
memory/4592-161-0x0000000000000000-mapping.dmp

Download
memory/4684-149-0x0000000000000000-mapping.dmp

Download
memory/4756-145-0x0000000000000000-mapping.dmp

Download
memory/4772-160-0x0000000000000000-mapping.dmp

Download
memory/4892-140-0x0000000000000000-mapping.dmp

Download
memory/5068-143-0x0000000000000000-mapping.dmp

Download
memory/5112-151-0x0000000000000000-mapping.dmp

Download