70efdb5ad1b10c7f5c6a10b41acfade0f2100bdd37c3e2cb111f6b2641b4d773

Analysis

max time kernel
148s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 17:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe
Size

385KB
MD5

4b9646f51e2271f5c5fdc6a45751caf0
SHA1

631907e1853f1d7977176c7931837ba1e02708cc
SHA256

70efdb5ad1b10c7f5c6a10b41acfade0f2100bdd37c3e2cb111f6b2641b4d773
SHA512

cc17e7958ae4ecbf2b8a6b432602e44202bf18ea9755252748d475a31898d904b0ca303174ea1e4f5739a3ff551893c1148cbddf5a76db3769c55d9e4f4ee6ce
SSDEEP

6144:/pW2bgbbV28okoS1oWMkdlZQ5JU10d5Kn8n7XPW:/pW2IoioS6e

Score

10^/10

discovery evasion exploit persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables Task Manager via registry modification
evasion

Possible privilege escalation attempt 64 IoCs

exploit

pid	Process
4520	takeown.exe
4584	takeown.exe
1492	icacls.exe
4848	icacls.exe
5984	takeown.exe
3464	icacls.exe
2116	takeown.exe
4844	takeown.exe
1472	takeown.exe
2356	icacls.exe
1616	icacls.exe
4708	takeown.exe
5100	icacls.exe
4832	takeown.exe
6972	takeown.exe
3844	icacls.exe
4196	icacls.exe
6268	icacls.exe
4468	takeown.exe
3008	takeown.exe
3316	icacls.exe
5308	icacls.exe
5236	takeown.exe
5160	icacls.exe
6372	icacls.exe
4452	icacls.exe
3832	takeown.exe
3360	takeown.exe
3820	takeown.exe
1428	icacls.exe
5040	takeown.exe
7052	takeown.exe
1284	icacls.exe
4500	icacls.exe
3280	icacls.exe
3348	takeown.exe
5148	icacls.exe
6628	takeown.exe
212	takeown.exe
6752	icacls.exe
5276	icacls.exe
6080	takeown.exe
2780	takeown.exe
3804	icacls.exe
6052	takeown.exe
3120	icacls.exe
7044	icacls.exe
5304	icacls.exe
5376	takeown.exe
3140	icacls.exe
792	icacls.exe
5152	takeown.exe
4188	takeown.exe
1852	takeown.exe
5944	icacls.exe
208	icacls.exe
2956	icacls.exe
3920	takeown.exe
2556	icacls.exe
4704	takeown.exe
1372	takeown.exe
1436	icacls.exe
2140	takeown.exe
5840	takeown.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5176	takeown.exe
7128	icacls.exe
2636	takeown.exe
964	icacls.exe
3360	takeown.exe
6428	icacls.exe
4344	icacls.exe
5276	icacls.exe
5896	takeown.exe
2780	takeown.exe
2296	icacls.exe
6408	icacls.exe
7104	takeown.exe
796	icacls.exe
2652	icacls.exe
2980	takeown.exe
4024	icacls.exe
2516	takeown.exe
6780	takeown.exe
3300	takeown.exe
5100	icacls.exe
6512	icacls.exe
3460	takeown.exe
5072	icacls.exe
3560	takeown.exe
3672	takeown.exe
3320	takeown.exe
1948	takeown.exe
5400	icacls.exe
2100	icacls.exe
4680	icacls.exe
6464	takeown.exe
4500	icacls.exe
552	takeown.exe
1472	takeown.exe
6648	icacls.exe
6540	icacls.exe
212	takeown.exe
7112	icacls.exe
4116	icacls.exe
5168	icacls.exe
5644	icacls.exe
6284	takeown.exe
4264	icacls.exe
6080	takeown.exe
4916	takeown.exe
3304	takeown.exe
6128	icacls.exe
4640	icacls.exe
636	icacls.exe
4704	takeown.exe
5976	icacls.exe
1484	takeown.exe
1056	takeown.exe
4832	takeown.exe
3376	takeown.exe
1996	takeown.exe
5136	icacls.exe
3280	icacls.exe
6372	icacls.exe
2140	takeown.exe
6396	icacls.exe
5540	takeown.exe
4428	takeown.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe BATCF %1"	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe BATCF %1"	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe CMDSF %1"	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe JPGIF %1"	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe VBSSF %1"	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe RTFDF %1"	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe NTPAD %1"	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe HTMWF %1"	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe NTPAD %1"	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe NTPAD %1"	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe NTPAD %1"	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
4552	reg.exe
2776	reg.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe
3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe
3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe
3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe
3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe
3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe
3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe
3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe
3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe
3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe
3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe
3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe
3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe
3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe
3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe
3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe
3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe
3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe
3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe
3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe
3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe
Token: SeTakeOwnershipPrivilege	2636	takeown.exe
Token: SeTakeOwnershipPrivilege	2560	takeown.exe
Token: SeTakeOwnershipPrivilege	4428	takeown.exe
Token: SeTakeOwnershipPrivilege	3376	takeown.exe
Token: SeTakeOwnershipPrivilege	552	takeown.exe
Token: SeTakeOwnershipPrivilege	3220	takeown.exe
Token: SeTakeOwnershipPrivilege	1996	takeown.exe
Token: SeTakeOwnershipPrivilege	1484	takeown.exe
Token: SeTakeOwnershipPrivilege	3920	takeown.exe
Token: SeTakeOwnershipPrivilege	4520	takeown.exe
Token: SeTakeOwnershipPrivilege	2516	takeown.exe
Token: SeTakeOwnershipPrivilege	1832	takeown.exe
Token: SeTakeOwnershipPrivilege	4716	takeown.exe
Token: SeTakeOwnershipPrivilege	4732	takeown.exe
Token: SeTakeOwnershipPrivilege	932	takeown.exe
Token: SeTakeOwnershipPrivilege	2116	takeown.exe
Token: SeTakeOwnershipPrivilege	3460	takeown.exe
Token: SeTakeOwnershipPrivilege	2512	takeown.exe
Token: SeTakeOwnershipPrivilege	1320	takeown.exe
Token: SeTakeOwnershipPrivilege	4696	takeown.exe
Token: SeTakeOwnershipPrivilege	4468	takeown.exe
Token: SeTakeOwnershipPrivilege	3328	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3200 wrote to memory of 2776	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	88
PID 3200 wrote to memory of 2776	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	88
PID 3200 wrote to memory of 4552	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	86
PID 3200 wrote to memory of 4552	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	86
PID 3200 wrote to memory of 2636	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	101
PID 3200 wrote to memory of 2636	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	101
PID 3200 wrote to memory of 1612	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	103
PID 3200 wrote to memory of 1612	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	103
PID 3200 wrote to memory of 2560	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	105
PID 3200 wrote to memory of 2560	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	105
PID 3200 wrote to memory of 5012	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	107
PID 3200 wrote to memory of 5012	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	107
PID 3200 wrote to memory of 4428	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	110
PID 3200 wrote to memory of 4428	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	110
PID 3200 wrote to memory of 2016	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	111
PID 3200 wrote to memory of 2016	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	111
PID 3200 wrote to memory of 552	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	113
PID 3200 wrote to memory of 552	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	113
PID 3200 wrote to memory of 4928	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	114
PID 3200 wrote to memory of 4928	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	114
PID 3200 wrote to memory of 3376	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	117
PID 3200 wrote to memory of 3376	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	117
PID 3200 wrote to memory of 2712	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	118
PID 3200 wrote to memory of 2712	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	118
PID 3200 wrote to memory of 3220	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	121
PID 3200 wrote to memory of 3220	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	121
PID 3200 wrote to memory of 2528	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	122
PID 3200 wrote to memory of 2528	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	122
PID 3200 wrote to memory of 1996	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	125
PID 3200 wrote to memory of 1996	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	125
PID 3200 wrote to memory of 400	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	128
PID 3200 wrote to memory of 400	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	128
PID 3200 wrote to memory of 1484	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	130
PID 3200 wrote to memory of 1484	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	130
PID 3200 wrote to memory of 936	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	129
PID 3200 wrote to memory of 936	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	129
PID 3200 wrote to memory of 3920	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	132
PID 3200 wrote to memory of 3920	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	132
PID 3200 wrote to memory of 3324	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	136
PID 3200 wrote to memory of 3324	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	136
PID 3200 wrote to memory of 4520	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	137
PID 3200 wrote to memory of 4520	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	137
PID 3200 wrote to memory of 3280	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	140
PID 3200 wrote to memory of 3280	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	140
PID 3200 wrote to memory of 1832	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	141
PID 3200 wrote to memory of 1832	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	141
PID 3200 wrote to memory of 4264	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	142
PID 3200 wrote to memory of 4264	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	142
PID 3200 wrote to memory of 2516	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	146
PID 3200 wrote to memory of 2516	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	146
PID 3200 wrote to memory of 2368	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	147
PID 3200 wrote to memory of 2368	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	147
PID 3200 wrote to memory of 4732	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	148
PID 3200 wrote to memory of 4732	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	148
PID 3200 wrote to memory of 2356	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	151
PID 3200 wrote to memory of 2356	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	151
PID 3200 wrote to memory of 3460	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	153
PID 3200 wrote to memory of 3460	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	153
PID 3200 wrote to memory of 3840	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	155
PID 3200 wrote to memory of 3840	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	155
PID 3200 wrote to memory of 932	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	157
PID 3200 wrote to memory of 932	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	157
PID 3200 wrote to memory of 2060	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	158
PID 3200 wrote to memory of 2060	3200	NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe	158

C:\Users\Admin\AppData\Local\Temp\NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.4b9646f51e2271f5c5fdc6a45751caf0.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3200
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:4552
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2776
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\bfsvc.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\bfsvc.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1612
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\HelpPane.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2560
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\HelpPane.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:5012
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\hh.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4428
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\hh.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2016
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\splwow64.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:552
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\splwow64.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4928
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\winhlp32.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:3376
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\winhlp32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2712
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\write.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3220
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\write.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2528
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1996
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\raserver.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:400
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msra.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:936
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\SysWOW64\msra.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1484
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\SysWOW64\quickassist.exe"
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:3920
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\quickassist.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3324
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\SysWOW64\sdchange.exe"
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:4520
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdchange.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3280
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\SysWOW64\CameraSettingsUIHost.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1832
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\CameraSettingsUIHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:4264
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\SysWOW64\logagent.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2516
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\logagent.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2368
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\SysWOW64\rrinstaller.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4732
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\rrinstaller.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2356
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\SysWOW64\gpscript.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:3460
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\gpscript.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3840
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\SysWOW64\mavinject.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:932
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mavinject.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2060
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\SysWOW64\provlaunch.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4716
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\provlaunch.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:1616
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\SysWOW64\msinfo32.exe"
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:2116
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msinfo32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4632
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\SysWOW64\runas.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2512
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\runas.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:796
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\SysWOW64\mstsc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1320
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mstsc.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4652
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\SysWOW64\sdiagnhost.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4696
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdiagnhost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2324
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:4468
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3592
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3328
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2556
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:2232
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3256
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:3276
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:916
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:3012
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:2080
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:3804
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:3140
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:2072
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:5072
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:2760
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2652
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:4188
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:636
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4704
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3380
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:4584
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:4560
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1844
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2100
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:4844
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3584
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:3372
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4484
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Modifies file permissions
  PID:3560
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:792
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:1492
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:1372
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:3832
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:4848
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:2608
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:3844
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:4452
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:4320
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:1852
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:4196
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:4708
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:964
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:3100
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4924
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:4440
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3668
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3360
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1316
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Modifies file permissions
  PID:3672
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:1436
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:3008
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3988
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1472
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1876
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:3348
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2956
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:1344
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:4680
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:3316
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:4420
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4892
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:3820
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5100
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:5248
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:5624
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:5800
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:5324
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:5888
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Modifies file permissions
  PID:5896
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:5992
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:5984
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:5976
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:5308
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:5296
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:5284
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:6064
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:6052
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:5412
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:212
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:5136
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:6136
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:6128
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Modifies file permissions
  PID:2980
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:6040
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:6256
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:6384
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Modifies file permissions
  PID:6464
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:6512
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:6616
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:6648
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:6408
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:6372
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:5024
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:5388
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:6116
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:6096
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:6080
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:5264
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:5236
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:5224
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:5204
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:5196
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Modifies file permissions
  PID:5176
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:5160
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Modifies file permissions
  PID:1948
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:656
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:4060
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4852
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:6752
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Modifies file permissions
  PID:6780
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:6700
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4832
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:3120
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2780
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2296
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:6992
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:6876
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2140
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3172
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:3968
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3788
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:3536
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4368
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Modifies file permissions
  PID:3300
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:7044
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:7128
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:7120
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:7112
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Modifies file permissions
  PID:7104
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:7088
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:7072
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4500
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Modifies file permissions
  PID:3304
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:3468
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:1428
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:5040
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:6220
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Modifies file permissions
  PID:4916
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:6428
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3440
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:6612
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2388
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:3244
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:4024
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:1012
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:4344
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:5312
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5276
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:4640
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:5904
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:5304
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:5260
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:5944
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:2820
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:208
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:7028
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:5840
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:7052
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:5408
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:7096
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:5148
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:6832
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:5376
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:5400
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:6972
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3036
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:5864
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:5428
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:1284
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:5676
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:2536
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:5688
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:2064
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:5168
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Modifies file permissions
  PID:1056
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:5816
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:5484
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:6396
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4132
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:5332
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:6628
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:5644
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:2112
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:4116
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:5056
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:6388
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3332
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:6336
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:3740
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:6268
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Modifies file permissions
  PID:3320
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2972
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:6048
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:5152
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:6540
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  PID:6676
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:6704
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Modifies file permissions
  PID:5540
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:3464
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S MDUTPCWA /U Admin /F "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
  2⤵
  - Modifies file permissions
  PID:6284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\RwGGFZWC.exe

Filesize
385KB

MD5
d700a795bcd4ab281a6c4b3ac2aa546e

SHA1
c9a034f33fa331a6d4ce66b7a6a8a004537923af

SHA256
6efd0ad1fcf1533eb6c184f8a617f82684d50698fb5421dcda93883a149d2758

SHA512
49a30e9702e0c609d3cb662c705d954093bde801228d3ab8c7da185738b4dac8f0ce333e059ec8c3f608b05c895c05088c6ee6002ebb1684d9fe14430371270f

Download Submit
C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe

Filesize
385KB

MD5
6225eb017258986767b1c4b06e35707a

SHA1
7bd6064ddd93a20547265248750a40a6741d3df4

SHA256
f5a224084f6dc6b69c5931cee52d7db0e730dfbe10cc40479dbc51d98e39714e

SHA512
117ddac2df0d13d8d61b2b1737b70751bb2508af6b95ff07d89e21fb79a8b70f9bac4491cd79454ace75b9a37b15b3053c3f1f6b4773daffb079f3adfe672994

Download Submit
C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe

Filesize
385KB

MD5
6225eb017258986767b1c4b06e35707a

SHA1
7bd6064ddd93a20547265248750a40a6741d3df4

SHA256
f5a224084f6dc6b69c5931cee52d7db0e730dfbe10cc40479dbc51d98e39714e

SHA512
117ddac2df0d13d8d61b2b1737b70751bb2508af6b95ff07d89e21fb79a8b70f9bac4491cd79454ace75b9a37b15b3053c3f1f6b4773daffb079f3adfe672994

Download Submit
C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe

Filesize
385KB

MD5
8d1764950f7dfe25d1dd938aa9d36f25

SHA1
b2021e5deba9efb3a94646aece85e15eed155cc2

SHA256
6e5f39470511e69034d83a947ff74c8d753a7d303d998a19b4256ef8ce1b2af4

SHA512
261bdf07592121d15a165a8c89fe1828f3c31e6d94a706e57bc82bb987661763957786d61192c7cc372478a0ccb57a991628ca9142cec6e34326197aa95e2936

Download Submit
C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe

Filesize
385KB

MD5
8d1764950f7dfe25d1dd938aa9d36f25

SHA1
b2021e5deba9efb3a94646aece85e15eed155cc2

SHA256
6e5f39470511e69034d83a947ff74c8d753a7d303d998a19b4256ef8ce1b2af4

SHA512
261bdf07592121d15a165a8c89fe1828f3c31e6d94a706e57bc82bb987661763957786d61192c7cc372478a0ccb57a991628ca9142cec6e34326197aa95e2936

Download Submit
C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe

Filesize
385KB

MD5
8d1764950f7dfe25d1dd938aa9d36f25

SHA1
b2021e5deba9efb3a94646aece85e15eed155cc2

SHA256
6e5f39470511e69034d83a947ff74c8d753a7d303d998a19b4256ef8ce1b2af4

SHA512
261bdf07592121d15a165a8c89fe1828f3c31e6d94a706e57bc82bb987661763957786d61192c7cc372478a0ccb57a991628ca9142cec6e34326197aa95e2936

Download Submit
memory/3200-1-0x00007FFCB7940000-0x00007FFCB8401000-memory.dmp

Filesize
10.8MB

Download
memory/3200-719-0x00007FFCB7940000-0x00007FFCB8401000-memory.dmp

Filesize
10.8MB

Download
memory/3200-883-0x000001CD76890000-0x000001CD768A0000-memory.dmp

Filesize
64KB

Download
memory/3200-0-0x000001CD742C0000-0x000001CD742E8000-memory.dmp

Filesize
160KB

Download
memory/3200-2-0x000001CD76890000-0x000001CD768A0000-memory.dmp

Filesize
64KB

Download
memory/3200-5616-0x00007FFCB7940000-0x00007FFCB8401000-memory.dmp

Filesize
10.8MB

Download