1ef267c5037e82963ba01abb34d48dbb68893ab4a24bf506a8d093c0d461b41b

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
15/10/2023, 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe
Size

294KB
MD5

c9b0cd2fbe453b899f84e9acf3aee290
SHA1

9ef6d9fc67676b53b1a653d71997f0d5e5184a5e
SHA256

1ef267c5037e82963ba01abb34d48dbb68893ab4a24bf506a8d093c0d461b41b
SHA512

b795e688f848494becdcef6f95c053060c57fd81801f95f949bdfb3423c5368e4e4df0259442b59a1b780a9942979d97118653caee179d523974bcad050030bb
SSDEEP

6144:YQMmbjV28okoS4oImBnkX0J8PmdWab08LL2:YWoioS/Za7

Score

10^/10

discovery evasion exploit persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables Task Manager via registry modification
evasion

Possible privilege escalation attempt 64 IoCs

exploit

pid	Process
700	icacls.exe
4672	takeown.exe
768	takeown.exe
5096	takeown.exe
1620	takeown.exe
2488	icacls.exe
3080	takeown.exe
3328	icacls.exe
3732	icacls.exe
1560	takeown.exe
3040	icacls.exe
2464	takeown.exe
3668	icacls.exe
2448	takeown.exe
2948	takeown.exe
4084	icacls.exe
4920	takeown.exe
2560	takeown.exe
1340	takeown.exe
784	takeown.exe
4368	takeown.exe
1652	takeown.exe
3564	takeown.exe
4640	icacls.exe
1992	icacls.exe
2172	takeown.exe
1372	takeown.exe
3676	icacls.exe
3992	icacls.exe
2960	takeown.exe
4564	icacls.exe
2808	takeown.exe
4164	takeown.exe
3032	icacls.exe
3156	takeown.exe
4056	takeown.exe
3556	icacls.exe
4752	icacls.exe
880	icacls.exe
1332	icacls.exe
1060	icacls.exe
1812	icacls.exe
2980	icacls.exe
4304	takeown.exe
3652	takeown.exe
3808	takeown.exe
1112	icacls.exe
2140	icacls.exe
2676	takeown.exe
2904	icacls.exe
1164	icacls.exe
1168	icacls.exe
928	takeown.exe
2744	takeown.exe
3772	takeown.exe
4232	takeown.exe
1604	icacls.exe
908	icacls.exe
2452	icacls.exe
1260	icacls.exe
2124	icacls.exe
3116	takeown.exe
572	takeown.exe
1488	takeown.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2284	takeown.exe
4320	icacls.exe
1704	takeown.exe
2188	takeown.exe
928	takeown.exe
2444	takeown.exe
4168	icacls.exe
2644	icacls.exe
1080	takeown.exe
2744	takeown.exe
3624	icacls.exe
4024	icacls.exe
320	icacls.exe
4876	takeown.exe
4504	icacls.exe
3544	takeown.exe
3548	icacls.exe
3116	takeown.exe
4084	icacls.exe
4484	takeown.exe
3564	takeown.exe
1604	icacls.exe
2948	takeown.exe
3340	takeown.exe
4520	icacls.exe
1372	takeown.exe
1688	takeown.exe
3820	takeown.exe
2172	takeown.exe
2876	icacls.exe
1592	icacls.exe
2816	icacls.exe
1568	icacls.exe
3760	takeown.exe
4836	takeown.exe
1548	icacls.exe
3216	icacls.exe
3668	icacls.exe
1572	takeown.exe
2452	icacls.exe
2676	takeown.exe
2808	takeown.exe
2692	icacls.exe
4112	icacls.exe
1292	icacls.exe
2012	icacls.exe
2796	takeown.exe
4728	takeown.exe
2132	icacls.exe
2412	icacls.exe
2716	takeown.exe
3992	icacls.exe
1168	icacls.exe
1784	icacls.exe
572	takeown.exe
924	icacls.exe
4232	takeown.exe
3808	takeown.exe
1092	takeown.exe
880	icacls.exe
2752	takeown.exe
3152	icacls.exe
3412	takeown.exe
1084	takeown.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe BATCF %1"	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\SurfaceColorTracker.exe	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 13 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe BATCF %1"	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe NTPAD %1"	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe CMDSF %1"	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe VBSSF %1"	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe NTPAD %1"	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe JPGIF %1"	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe NTPAD %1"	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe NTPAD %1"	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\icofile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe JPGIF %1"	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe JPGIF %1"	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe JPGIF %1"	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe HTMWF %1"	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe RTFDF %1"	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2356	reg.exe
2092	reg.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe
2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe
2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe
2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe
2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe
2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe
2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe
2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe
2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe
2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe
2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe
2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe
2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe
2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe
2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe
2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe
2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe
2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe
2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe
2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe
2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

description	pid	Process
Token: SeDebugPrivilege	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe
Token: SeTakeOwnershipPrivilege	1924	takeown.exe
Token: SeTakeOwnershipPrivilege	2448	takeown.exe
Token: SeTakeOwnershipPrivilege	1544	takeown.exe
Token: SeTakeOwnershipPrivilege	1620	takeown.exe
Token: SeTakeOwnershipPrivilege	1080	takeown.exe
Token: SeTakeOwnershipPrivilege	1500	takeown.exe
Token: SeTakeOwnershipPrivilege	1704	takeown.exe
Token: SeTakeOwnershipPrivilege	1996	takeown.exe
Token: SeTakeOwnershipPrivilege	2500	takeown.exe
Token: SeTakeOwnershipPrivilege	2284	takeown.exe
Token: SeTakeOwnershipPrivilege	2172	takeown.exe
Token: SeTakeOwnershipPrivilege	1084	takeown.exe
Token: SeTakeOwnershipPrivilege	2320	takeown.exe
Token: SeTakeOwnershipPrivilege	1092	takeown.exe
Token: SeTakeOwnershipPrivilege	940	takeown.exe
Token: SeTakeOwnershipPrivilege	2084	takeown.exe
Token: SeTakeOwnershipPrivilege	2776	takeown.exe
Token: SeTakeOwnershipPrivilege	572	takeown.exe
Token: SeTakeOwnershipPrivilege	1068	takeown.exe
Token: SeTakeOwnershipPrivilege	2408	takeown.exe
Token: SeTakeOwnershipPrivilege	1936	takeown.exe
Token: SeTakeOwnershipPrivilege	2188	takeown.exe
Token: SeTakeOwnershipPrivilege	2504	takeown.exe
Token: SeTakeOwnershipPrivilege	2716	takeown.exe
Token: SeTakeOwnershipPrivilege	2676	takeown.exe
Token: SeTakeOwnershipPrivilege	2524	takeown.exe
Token: SeTakeOwnershipPrivilege	1072	takeown.exe
Token: SeTakeOwnershipPrivilege	2560	takeown.exe
Token: SeTakeOwnershipPrivilege	1340	takeown.exe
Token: SeTakeOwnershipPrivilege	2804	takeown.exe
Token: SeTakeOwnershipPrivilege	2484	takeown.exe
Token: SeTakeOwnershipPrivilege	1652	takeown.exe
Token: SeTakeOwnershipPrivilege	4012	takeown.exe
Token: SeTakeOwnershipPrivilege	1560	takeown.exe
Token: SeTakeOwnershipPrivilege	3760	takeown.exe
Token: SeTakeOwnershipPrivilege	524	takeown.exe
Token: SeTakeOwnershipPrivilege	2752	takeown.exe
Token: SeTakeOwnershipPrivilege	1372	takeown.exe
Token: SeTakeOwnershipPrivilege	1676	takeown.exe
Token: SeTakeOwnershipPrivilege	1624	takeown.exe
Token: SeTakeOwnershipPrivilege	3000	takeown.exe
Token: SeTakeOwnershipPrivilege	2660	takeown.exe
Token: SeTakeOwnershipPrivilege	1488	takeown.exe
Token: SeTakeOwnershipPrivilege	1640	takeown.exe
Token: SeTakeOwnershipPrivilege	3228	takeown.exe
Token: SeTakeOwnershipPrivilege	2008	takeown.exe
Token: SeTakeOwnershipPrivilege	2428	takeown.exe
Token: SeTakeOwnershipPrivilege	2744	takeown.exe
Token: SeTakeOwnershipPrivilege	2240	takeown.exe
Token: SeTakeOwnershipPrivilege	2948	takeown.exe
Token: SeTakeOwnershipPrivilege	3292	takeown.exe
Token: SeTakeOwnershipPrivilege	1688	takeown.exe
Token: SeTakeOwnershipPrivilege	556	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 2356	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	28
PID 2584 wrote to memory of 2356	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	28
PID 2584 wrote to memory of 2356	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	28
PID 2584 wrote to memory of 2092	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	30
PID 2584 wrote to memory of 2092	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	30
PID 2584 wrote to memory of 2092	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	30
PID 2584 wrote to memory of 1924	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	34
PID 2584 wrote to memory of 1924	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	34
PID 2584 wrote to memory of 1924	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	34
PID 2584 wrote to memory of 1168	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	36
PID 2584 wrote to memory of 1168	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	36
PID 2584 wrote to memory of 1168	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	36
PID 2584 wrote to memory of 2448	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	38
PID 2584 wrote to memory of 2448	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	38
PID 2584 wrote to memory of 2448	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	38
PID 2584 wrote to memory of 2280	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	40
PID 2584 wrote to memory of 2280	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	40
PID 2584 wrote to memory of 2280	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	40
PID 2584 wrote to memory of 1544	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	42
PID 2584 wrote to memory of 1544	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	42
PID 2584 wrote to memory of 1544	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	42
PID 2584 wrote to memory of 2952	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	43
PID 2584 wrote to memory of 2952	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	43
PID 2584 wrote to memory of 2952	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	43
PID 2584 wrote to memory of 1084	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	45
PID 2584 wrote to memory of 1084	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	45
PID 2584 wrote to memory of 1084	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	45
PID 2584 wrote to memory of 1292	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	46
PID 2584 wrote to memory of 1292	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	46
PID 2584 wrote to memory of 1292	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	46
PID 2584 wrote to memory of 1620	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	47
PID 2584 wrote to memory of 1620	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	47
PID 2584 wrote to memory of 1620	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	47
PID 2584 wrote to memory of 1112	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	48
PID 2584 wrote to memory of 1112	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	48
PID 2584 wrote to memory of 1112	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	48
PID 2584 wrote to memory of 1092	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	49
PID 2584 wrote to memory of 1092	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	49
PID 2584 wrote to memory of 1092	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	49
PID 2584 wrote to memory of 1784	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	52
PID 2584 wrote to memory of 1784	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	52
PID 2584 wrote to memory of 1784	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	52
PID 2584 wrote to memory of 1080	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	55
PID 2584 wrote to memory of 1080	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	55
PID 2584 wrote to memory of 1080	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	55
PID 2584 wrote to memory of 908	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	56
PID 2584 wrote to memory of 908	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	56
PID 2584 wrote to memory of 908	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	56
PID 2584 wrote to memory of 572	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	57
PID 2584 wrote to memory of 572	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	57
PID 2584 wrote to memory of 572	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	57
PID 2584 wrote to memory of 2140	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	60
PID 2584 wrote to memory of 2140	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	60
PID 2584 wrote to memory of 2140	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	60
PID 2584 wrote to memory of 940	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	103
PID 2584 wrote to memory of 940	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	103
PID 2584 wrote to memory of 940	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	103
PID 2584 wrote to memory of 924	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	102
PID 2584 wrote to memory of 924	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	102
PID 2584 wrote to memory of 924	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	102
PID 2584 wrote to memory of 1500	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	101
PID 2584 wrote to memory of 1500	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	101
PID 2584 wrote to memory of 1500	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	101
PID 2584 wrote to memory of 2452	2584	c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe	94

C:\Users\Admin\AppData\Local\Temp\c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\c9b0cd2fbe453b899f84e9acf3aee290_exe32.exe"
1⤵
- Modifies system executable filetype association
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2356
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2092
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\bfsvc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1924
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\bfsvc.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1168
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\HelpPane.exe"
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\HelpPane.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2280
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\hh.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1544
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\hh.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2952
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\splwow64.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1084
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\splwow64.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:1292
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\winhlp32.exe"
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:1620
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\winhlp32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:1112
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\write.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1092
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\write.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:1784
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1080
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\raserver.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:908
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\SysWOW64\msra.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:572
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msra.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2140
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\CameraSettingsUIHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:880
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\gpscript.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2840
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\provlaunch.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2512
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\runas.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:3032
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\SysWOW64\runas.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msinfo32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2576
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\SysWOW64\msinfo32.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\SysWOW64\provlaunch.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2500
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mavinject.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2276
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\SysWOW64\mavinject.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2284
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\SysWOW64\gpscript.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\rrinstaller.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2884
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\SysWOW64\rrinstaller.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1996
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\logagent.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2216
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\SysWOW64\logagent.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2172
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\SysWOW64\CameraSettingsUIHost.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdchange.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2452
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\SysWOW64\sdchange.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1500
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\quickassist.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:924
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\SysWOW64\quickassist.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:940
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\SysWOW64\mstsc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1068
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mstsc.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1656
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\SysWOW64\sdiagnhost.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2408
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdiagnhost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1392
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2132
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2760
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2660
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2532
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2412
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1956
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:2560
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2484
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2852
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:1560
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:320
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2504
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:3040
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:300
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2676
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2716
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2876
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2904
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:1340
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:1592
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2816
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2428
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1968
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:700
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2616
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2808
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2692
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2988
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:524
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2488
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3000
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3008
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:1164
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1372
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2072
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:1260
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2256
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2124
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  PID:2244
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2012
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:556
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1540
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1072
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2924
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  PID:676
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1792
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  PID:1900
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2316
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  PID:2180
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:1332
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:1812
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:928
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2592
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:1488
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:1548
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:784
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2016
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  PID:1848
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:1568
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2076
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Modifies file permissions
  PID:2796
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1100
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:3080
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3096
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3116
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3140
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:3156
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3176
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  PID:3204
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:3216
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  PID:3244
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3260
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3292
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:3328
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  PID:3356
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3388
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Modifies file permissions
  PID:3412
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3428
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  PID:3448
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3476
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  PID:3504
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3528
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3572
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3564
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  PID:3600
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:3624
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:3652
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:3676
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  PID:3708
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:3732
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:3760
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Modifies file permissions
  PID:3820
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3780
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3828
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  PID:3856
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3892
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  PID:3920
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3944
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  PID:3968
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3992
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4012
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4032
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:4056
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4084
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Modifies file permissions
  PID:2444
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3112
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:2464
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:3152
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Modifies file permissions
  PID:3340
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2980
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Modifies file permissions
  PID:3544
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1220
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  PID:3720
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:3556
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:3772
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3668
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  PID:4020
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:4024
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:768
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2496
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Modifies file permissions
  PID:1572
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1696
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3228
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:1060
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  PID:2024
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:4112
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  PID:4132
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:4168
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  PID:4196
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4216
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4232
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4272
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:4320
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:4368
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:4304
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4396
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  PID:4424
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4448
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Modifies file permissions
  PID:4484
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:4504
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  PID:4536
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:4564
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  PID:4584
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:4640
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:4672
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Modifies file permissions
  PID:4728
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4688
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:4752
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  PID:4788
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4812
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Modifies file permissions
  PID:4836
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4860
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Modifies file permissions
  PID:4876
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4944
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  PID:4988
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:4920
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4888
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  PID:5028
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:5008
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:5064
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:5096
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:3548
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  PID:4140
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2800
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  PID:3444
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  PID:3384
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:944
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:4164
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:1992
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2644
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  PID:4212
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:920
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3808
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:4520
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:2960
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1604
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  PID:2144
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2564
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  PID:1264
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4380
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  PID:4620
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:796
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  PID:3300
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4872
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S XEBBURHY /U Admin /F "C:\Windows\System32\SurfaceColorTracker.exe"
  2⤵
  PID:1196
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SurfaceColorTracker.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SaKXGhefI.exe

Filesize
294KB

MD5
7f367613a3a1d074f457a19581f86b2e

SHA1
f9e847ac83cb08ed4cd0421cc3166085bd21842b

SHA256
096fc5fcade992b43cee36beacfcfe6524e281201a92ab5b2f3a75805ee892c5

SHA512
f2a7578b20856dfa02c629be9653b835ddbc660579c004e4e22587903c2fcaebac112d8cebab7060f3216f623d5644b9e8f0bf7126577104090b5833b395bbb7

Download Submit
C:\Windows\System32\SurfaceColorTracker.exe

Filesize
294KB

MD5
c9b0cd2fbe453b899f84e9acf3aee290

SHA1
9ef6d9fc67676b53b1a653d71997f0d5e5184a5e

SHA256
1ef267c5037e82963ba01abb34d48dbb68893ab4a24bf506a8d093c0d461b41b

SHA512
b795e688f848494becdcef6f95c053060c57fd81801f95f949bdfb3423c5368e4e4df0259442b59a1b780a9942979d97118653caee179d523974bcad050030bb

Download Submit
memory/2584-0-0x00000000000F0000-0x0000000000118000-memory.dmp

Filesize
160KB

Download
memory/2584-1-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2584-2-0x000000001A910000-0x000000001A990000-memory.dmp

Filesize
512KB

Download
memory/2584-948-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2584-1053-0x000000001A910000-0x000000001A990000-memory.dmp

Filesize
512KB

Download
memory/2584-12011-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download