Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2022 13:13
Static task
static1
Behavioral task
behavioral1
Sample
ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe
Resource
win7-20220901-en
General
-
Target
ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe
-
Size
64KB
-
MD5
156b0d499d5bce95710bf613e038fbf6
-
SHA1
f83a03b73bc4c8f9c70927831c542cb8beb14eba
-
SHA256
ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232
-
SHA512
f2ef4f323070757a7eaf2909da3c087aab2fa7f74b71efeadbddfc77011110360fc7129374d5f15fef017f5054efeb3de6d44a7f4ed71fb526e8ed0434494460
-
SSDEEP
768:rhzt36itED7hifBZo7jAeSZnZIlv8ix3LYg/xH2u2KwuL6AhPKX0:rD3c7OeSZn+auYkR2u2YLxtM0
Malware Config
Signatures
-
Possible privilege escalation attempt 34 IoCs
Processes:
icacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 2976 icacls.exe 1028 icacls.exe 3820 takeown.exe 1980 takeown.exe 1636 takeown.exe 2152 takeown.exe 5116 takeown.exe 2836 icacls.exe 4328 icacls.exe 2384 takeown.exe 4412 takeown.exe 2080 icacls.exe 1664 takeown.exe 2112 icacls.exe 4480 takeown.exe 4908 icacls.exe 1452 takeown.exe 1784 takeown.exe 4704 icacls.exe 4512 takeown.exe 2940 icacls.exe 1044 takeown.exe 4164 icacls.exe 1516 takeown.exe 400 icacls.exe 3120 icacls.exe 2600 takeown.exe 3288 takeown.exe 308 icacls.exe 3540 takeown.exe 4116 icacls.exe 1812 icacls.exe 3936 icacls.exe 4480 icacls.exe -
Modifies file permissions 1 TTPs 34 IoCs
Processes:
icacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exepid process 2080 icacls.exe 3820 takeown.exe 1044 takeown.exe 4412 takeown.exe 5116 takeown.exe 2600 takeown.exe 1636 takeown.exe 4480 icacls.exe 2976 icacls.exe 2384 takeown.exe 1664 takeown.exe 3540 takeown.exe 400 icacls.exe 1812 icacls.exe 3936 icacls.exe 4328 icacls.exe 3120 icacls.exe 3288 takeown.exe 2112 icacls.exe 4480 takeown.exe 4908 icacls.exe 4116 icacls.exe 4704 icacls.exe 2152 takeown.exe 1452 takeown.exe 1028 icacls.exe 1980 takeown.exe 4164 icacls.exe 4512 takeown.exe 308 icacls.exe 2940 icacls.exe 1784 takeown.exe 2836 icacls.exe 1516 takeown.exe -
Drops file in System32 directory 6 IoCs
Processes:
ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exedescription ioc process File created C:\Windows\SysWOW64\hhuzy.exe ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe File opened for modification C:\Windows\SysWOW64\hhuzy.exe ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe File opened for modification C:\Windows\SysWOW64\cmd.exe ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe File opened for modification C:\Windows\SysWOW64\ftp.exe ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe File opened for modification C:\Windows\SysWOW64\wscript.exe ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe File opened for modification C:\Windows\SysWOW64\cscript.exe ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 1452 takeown.exe Token: SeTakeOwnershipPrivilege 4512 takeown.exe Token: SeTakeOwnershipPrivilege 3540 takeown.exe Token: SeTakeOwnershipPrivilege 3820 takeown.exe Token: SeTakeOwnershipPrivilege 2384 takeown.exe Token: SeTakeOwnershipPrivilege 1784 takeown.exe Token: SeTakeOwnershipPrivilege 1980 takeown.exe Token: SeTakeOwnershipPrivilege 1636 takeown.exe Token: SeTakeOwnershipPrivilege 2152 takeown.exe Token: SeTakeOwnershipPrivilege 1044 takeown.exe Token: SeTakeOwnershipPrivilege 4412 takeown.exe Token: SeTakeOwnershipPrivilege 5116 takeown.exe Token: SeTakeOwnershipPrivilege 2600 takeown.exe Token: SeTakeOwnershipPrivilege 3288 takeown.exe Token: SeTakeOwnershipPrivilege 1664 takeown.exe Token: SeTakeOwnershipPrivilege 1516 takeown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exepid process 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exedescription pid process target process PID 4728 wrote to memory of 4480 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe takeown.exe PID 4728 wrote to memory of 4480 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe takeown.exe PID 4728 wrote to memory of 4480 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe takeown.exe PID 4728 wrote to memory of 4908 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe icacls.exe PID 4728 wrote to memory of 4908 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe icacls.exe PID 4728 wrote to memory of 4908 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe icacls.exe PID 4728 wrote to memory of 1452 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe takeown.exe PID 4728 wrote to memory of 1452 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe takeown.exe PID 4728 wrote to memory of 1452 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe takeown.exe PID 4728 wrote to memory of 1028 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe icacls.exe PID 4728 wrote to memory of 1028 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe icacls.exe PID 4728 wrote to memory of 1028 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe icacls.exe PID 4728 wrote to memory of 4512 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe takeown.exe PID 4728 wrote to memory of 4512 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe takeown.exe PID 4728 wrote to memory of 4512 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe takeown.exe PID 4728 wrote to memory of 308 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe icacls.exe PID 4728 wrote to memory of 308 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe icacls.exe PID 4728 wrote to memory of 308 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe icacls.exe PID 4728 wrote to memory of 3540 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe takeown.exe PID 4728 wrote to memory of 3540 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe takeown.exe PID 4728 wrote to memory of 3540 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe takeown.exe PID 4728 wrote to memory of 400 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe icacls.exe PID 4728 wrote to memory of 400 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe icacls.exe PID 4728 wrote to memory of 400 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe icacls.exe PID 4728 wrote to memory of 3820 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe takeown.exe PID 4728 wrote to memory of 3820 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe takeown.exe PID 4728 wrote to memory of 3820 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe takeown.exe PID 4728 wrote to memory of 2940 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe icacls.exe PID 4728 wrote to memory of 2940 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe icacls.exe PID 4728 wrote to memory of 2940 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe icacls.exe PID 4728 wrote to memory of 2384 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe takeown.exe PID 4728 wrote to memory of 2384 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe takeown.exe PID 4728 wrote to memory of 2384 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe takeown.exe PID 4728 wrote to memory of 4116 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe icacls.exe PID 4728 wrote to memory of 4116 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe icacls.exe PID 4728 wrote to memory of 4116 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe icacls.exe PID 4728 wrote to memory of 1784 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe takeown.exe PID 4728 wrote to memory of 1784 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe takeown.exe PID 4728 wrote to memory of 1784 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe takeown.exe PID 4728 wrote to memory of 1812 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe icacls.exe PID 4728 wrote to memory of 1812 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe icacls.exe PID 4728 wrote to memory of 1812 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe icacls.exe PID 4728 wrote to memory of 1980 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe takeown.exe PID 4728 wrote to memory of 1980 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe takeown.exe PID 4728 wrote to memory of 1980 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe takeown.exe PID 4728 wrote to memory of 4704 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe icacls.exe PID 4728 wrote to memory of 4704 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe icacls.exe PID 4728 wrote to memory of 4704 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe icacls.exe PID 4728 wrote to memory of 1636 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe takeown.exe PID 4728 wrote to memory of 1636 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe takeown.exe PID 4728 wrote to memory of 1636 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe takeown.exe PID 4728 wrote to memory of 2836 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe icacls.exe PID 4728 wrote to memory of 2836 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe icacls.exe PID 4728 wrote to memory of 2836 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe icacls.exe PID 4728 wrote to memory of 2152 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe takeown.exe PID 4728 wrote to memory of 2152 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe takeown.exe PID 4728 wrote to memory of 2152 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe takeown.exe PID 4728 wrote to memory of 3120 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe icacls.exe PID 4728 wrote to memory of 3120 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe icacls.exe PID 4728 wrote to memory of 3120 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe icacls.exe PID 4728 wrote to memory of 1044 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe takeown.exe PID 4728 wrote to memory of 1044 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe takeown.exe PID 4728 wrote to memory of 1044 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe takeown.exe PID 4728 wrote to memory of 4164 4728 ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe"C:\Users\Admin\AppData\Local\Temp\ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "C:\Windows\system32\hhuzy.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\system32\hhuzy.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown.exe /f "C:\Windows\SysWOW64\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\hhuzy.exeFilesize
64KB
MD5156b0d499d5bce95710bf613e038fbf6
SHA1f83a03b73bc4c8f9c70927831c542cb8beb14eba
SHA256ce2e63d63a3deaa376d54517481d1702f40b4b7b92c60fbd454941f4e1525232
SHA512f2ef4f323070757a7eaf2909da3c087aab2fa7f74b71efeadbddfc77011110360fc7129374d5f15fef017f5054efeb3de6d44a7f4ed71fb526e8ed0434494460
-
memory/308-140-0x0000000000000000-mapping.dmp
-
memory/400-142-0x0000000000000000-mapping.dmp
-
memory/1028-138-0x0000000000000000-mapping.dmp
-
memory/1044-155-0x0000000000000000-mapping.dmp
-
memory/1452-137-0x0000000000000000-mapping.dmp
-
memory/1516-167-0x0000000000000000-mapping.dmp
-
memory/1636-151-0x0000000000000000-mapping.dmp
-
memory/1664-165-0x0000000000000000-mapping.dmp
-
memory/1784-147-0x0000000000000000-mapping.dmp
-
memory/1812-148-0x0000000000000000-mapping.dmp
-
memory/1980-149-0x0000000000000000-mapping.dmp
-
memory/2080-162-0x0000000000000000-mapping.dmp
-
memory/2112-168-0x0000000000000000-mapping.dmp
-
memory/2152-153-0x0000000000000000-mapping.dmp
-
memory/2384-145-0x0000000000000000-mapping.dmp
-
memory/2600-161-0x0000000000000000-mapping.dmp
-
memory/2836-152-0x0000000000000000-mapping.dmp
-
memory/2940-144-0x0000000000000000-mapping.dmp
-
memory/2976-166-0x0000000000000000-mapping.dmp
-
memory/3120-154-0x0000000000000000-mapping.dmp
-
memory/3288-163-0x0000000000000000-mapping.dmp
-
memory/3540-141-0x0000000000000000-mapping.dmp
-
memory/3820-143-0x0000000000000000-mapping.dmp
-
memory/3936-158-0x0000000000000000-mapping.dmp
-
memory/4116-146-0x0000000000000000-mapping.dmp
-
memory/4164-156-0x0000000000000000-mapping.dmp
-
memory/4328-164-0x0000000000000000-mapping.dmp
-
memory/4412-157-0x0000000000000000-mapping.dmp
-
memory/4480-160-0x0000000000000000-mapping.dmp
-
memory/4480-134-0x0000000000000000-mapping.dmp
-
memory/4512-139-0x0000000000000000-mapping.dmp
-
memory/4704-150-0x0000000000000000-mapping.dmp
-
memory/4908-136-0x0000000000000000-mapping.dmp
-
memory/5116-159-0x0000000000000000-mapping.dmp