e2a06169705a62daf3488f928eba68c771d34a2fb12ecd2859000faf063dab76

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
05/11/2023, 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe
Size

344KB
MD5

aeb0dd21b984b71d2ee95aebef5ac5d0
SHA1

45b7c8836a69ac9829b56823b683a8b75f247dcd
SHA256

e2a06169705a62daf3488f928eba68c771d34a2fb12ecd2859000faf063dab76
SHA512

187b3e4c02c35e369c900e3f2bd3b0f696a9cdbd2ecec33095115b7f667c6a5d7d223a17902260f123d014b324572abf4ec098362e9fd7bb1ab76ddbdd0e6bae
SSDEEP

6144:YQMmbjV28okoS4oE0XAewbTKNypU8CBtVzQ75:YWoioS/AIHk

Score

10^/10

discovery evasion exploit persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables Task Manager via registry modification
evasion

Possible privilege escalation attempt 64 IoCs

exploit

pid	Process
2644	icacls.exe
3032	icacls.exe
1440	icacls.exe
3500	icacls.exe
3664	takeown.exe
1452	icacls.exe
4080	icacls.exe
4440	takeown.exe
2864	icacls.exe
892	takeown.exe
3104	icacls.exe
4060	takeown.exe
2560	icacls.exe
4524	takeown.exe
2320	takeown.exe
936	takeown.exe
2588	takeown.exe
2096	icacls.exe
2236	icacls.exe
3436	icacls.exe
1108	icacls.exe
3024	icacls.exe
568	icacls.exe
2780	takeown.exe
4044	icacls.exe
2084	icacls.exe
1036	takeown.exe
4744	takeown.exe
2164	icacls.exe
1236	takeown.exe
2832	takeown.exe
1544	icacls.exe
1840	takeown.exe
992	takeown.exe
3340	takeown.exe
3740	takeown.exe
4000	icacls.exe
2552	takeown.exe
528	icacls.exe
2268	takeown.exe
3568	takeown.exe
3064	takeown.exe
2952	takeown.exe
3632	icacls.exe
3688	icacls.exe
4132	takeown.exe
2396	takeown.exe
692	takeown.exe
4328	icacls.exe
1700	icacls.exe
2456	takeown.exe
2940	icacls.exe
2948	icacls.exe
2028	icacls.exe
1708	icacls.exe
4864	takeown.exe
2488	takeown.exe
2696	icacls.exe
3464	takeown.exe
3872	takeown.exe
3268	takeown.exe
4212	icacls.exe
3232	icacls.exe
1848	takeown.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2260	icacls.exe
1536	icacls.exe
2164	icacls.exe
2936	takeown.exe
2568	icacls.exe
748	takeown.exe
1452	icacls.exe
2188	icacls.exe
1484	icacls.exe
2052	takeown.exe
2888	takeown.exe
3436	icacls.exe
3592	takeown.exe
1608	takeown.exe
344	icacls.exe
4132	takeown.exe
2656	takeown.exe
992	takeown.exe
3464	takeown.exe
2988	takeown.exe
2780	takeown.exe
4428	icacls.exe
2508	icacls.exe
1832	takeown.exe
284	icacls.exe
2640	takeown.exe
3032	icacls.exe
2956	icacls.exe
2544	takeown.exe
1840	takeown.exe
3552	icacls.exe
2560	icacls.exe
3572	icacls.exe
4620	icacls.exe
4916	takeown.exe
1592	takeown.exe
2320	takeown.exe
3056	icacls.exe
3952	icacls.exe
4392	takeown.exe
1580	icacls.exe
1252	icacls.exe
1036	takeown.exe
4328	icacls.exe
2536	takeown.exe
2396	takeown.exe
2036	icacls.exe
3676	takeown.exe
2820	icacls.exe
3404	takeown.exe
1576	takeown.exe
568	icacls.exe
2932	icacls.exe
3568	takeown.exe
2600	takeown.exe
2136	icacls.exe
2724	icacls.exe
1000	icacls.exe
3632	icacls.exe
1596	takeown.exe
2336	icacls.exe
3076	takeown.exe
3196	icacls.exe
3372	takeown.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe BATCF %1"	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SystemPropertiesPerformance.exe	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 13 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe CMDSF %1"	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe VBSSF %1"	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe NTPAD %1"	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe NTPAD %1"	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe JPGIF %1"	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe JPGIF %1"	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe RTFDF %1"	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe NTPAD %1"	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe BATCF %1"	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe HTMWF %1"	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe NTPAD %1"	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\icofile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe JPGIF %1"	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe JPGIF %1"	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2924	reg.exe
2968	reg.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe
1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe
1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe
1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe
1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe
1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe
1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe
1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe
1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe
1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe
1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe
1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe
1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe
1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe
1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe
1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe
1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe
1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe
1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe
1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe
1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe
Token: SeTakeOwnershipPrivilege	1848	takeown.exe
Token: SeTakeOwnershipPrivilege	1596	takeown.exe
Token: SeTakeOwnershipPrivilege	2600	takeown.exe
Token: SeTakeOwnershipPrivilege	2660	takeown.exe
Token: SeTakeOwnershipPrivilege	864	takeown.exe
Token: SeTakeOwnershipPrivilege	2148	takeown.exe
Token: SeTakeOwnershipPrivilege	2552	takeown.exe
Token: SeTakeOwnershipPrivilege	1892	takeown.exe
Token: SeTakeOwnershipPrivilege	2456	takeown.exe
Token: SeTakeOwnershipPrivilege	2676	takeown.exe
Token: SeTakeOwnershipPrivilege	2052	takeown.exe
Token: SeTakeOwnershipPrivilege	2184	takeown.exe
Token: SeTakeOwnershipPrivilege	2116	takeown.exe
Token: SeTakeOwnershipPrivilege	1824	takeown.exe
Token: SeTakeOwnershipPrivilege	2020	takeown.exe
Token: SeTakeOwnershipPrivilege	2712	takeown.exe
Token: SeTakeOwnershipPrivilege	748	takeown.exe
Token: SeTakeOwnershipPrivilege	2536	takeown.exe
Token: SeTakeOwnershipPrivilege	2544	takeown.exe
Token: SeTakeOwnershipPrivilege	2796	takeown.exe
Token: SeTakeOwnershipPrivilege	2860	takeown.exe
Token: SeTakeOwnershipPrivilege	2592	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 2924	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	28
PID 1916 wrote to memory of 2924	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	28
PID 1916 wrote to memory of 2924	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	28
PID 1916 wrote to memory of 2968	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	29
PID 1916 wrote to memory of 2968	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	29
PID 1916 wrote to memory of 2968	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	29
PID 1916 wrote to memory of 864	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	32
PID 1916 wrote to memory of 864	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	32
PID 1916 wrote to memory of 864	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	32
PID 1916 wrote to memory of 1628	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	33
PID 1916 wrote to memory of 1628	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	33
PID 1916 wrote to memory of 1628	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	33
PID 1916 wrote to memory of 1848	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	38
PID 1916 wrote to memory of 1848	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	38
PID 1916 wrote to memory of 1848	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	38
PID 1916 wrote to memory of 2056	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	35
PID 1916 wrote to memory of 2056	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	35
PID 1916 wrote to memory of 2056	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	35
PID 1916 wrote to memory of 1596	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	37
PID 1916 wrote to memory of 1596	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	37
PID 1916 wrote to memory of 1596	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	37
PID 1916 wrote to memory of 2908	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	42
PID 1916 wrote to memory of 2908	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	42
PID 1916 wrote to memory of 2908	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	42
PID 1916 wrote to memory of 2148	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	41
PID 1916 wrote to memory of 2148	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	41
PID 1916 wrote to memory of 2148	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	41
PID 1916 wrote to memory of 1700	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	46
PID 1916 wrote to memory of 1700	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	46
PID 1916 wrote to memory of 1700	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	46
PID 1916 wrote to memory of 2660	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	44
PID 1916 wrote to memory of 2660	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	44
PID 1916 wrote to memory of 2660	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	44
PID 1916 wrote to memory of 2928	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	45
PID 1916 wrote to memory of 2928	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	45
PID 1916 wrote to memory of 2928	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	45
PID 1916 wrote to memory of 1892	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	48
PID 1916 wrote to memory of 1892	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	48
PID 1916 wrote to memory of 1892	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	48
PID 1916 wrote to memory of 2292	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	49
PID 1916 wrote to memory of 2292	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	49
PID 1916 wrote to memory of 2292	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	49
PID 1916 wrote to memory of 2552	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	62
PID 1916 wrote to memory of 2552	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	62
PID 1916 wrote to memory of 2552	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	62
PID 1916 wrote to memory of 2684	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	57
PID 1916 wrote to memory of 2684	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	57
PID 1916 wrote to memory of 2684	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	57
PID 1916 wrote to memory of 2600	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	53
PID 1916 wrote to memory of 2600	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	53
PID 1916 wrote to memory of 2600	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	53
PID 1916 wrote to memory of 2864	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	56
PID 1916 wrote to memory of 2864	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	56
PID 1916 wrote to memory of 2864	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	56
PID 1916 wrote to memory of 2456	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	55
PID 1916 wrote to memory of 2456	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	55
PID 1916 wrote to memory of 2456	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	55
PID 1916 wrote to memory of 2960	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	65
PID 1916 wrote to memory of 2960	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	65
PID 1916 wrote to memory of 2960	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	65
PID 1916 wrote to memory of 2676	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	68
PID 1916 wrote to memory of 2676	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	68
PID 1916 wrote to memory of 2676	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	68
PID 1916 wrote to memory of 1472	1916	NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe	70

C:\Users\Admin\AppData\Local\Temp\NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.aeb0dd21b984b71d2ee95aebef5ac5d0_JC.exe"
1⤵
- Modifies system executable filetype association
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2924
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2968
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\bfsvc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:864
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\bfsvc.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1628
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\HelpPane.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2056
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\hh.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\HelpPane.exe"
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:1848
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\splwow64.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\hh.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2908
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\winhlp32.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2660
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\winhlp32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2928
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\splwow64.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:1700
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\write.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1892
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\write.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2292
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\SysWOW64\msra.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2600
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\SysWOW64\quickassist.exe"
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:2456
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msra.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2864
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\raserver.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2684
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:2552
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\quickassist.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2960
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\SysWOW64\sdchange.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2676
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdchange.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1472
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\CameraSettingsUIHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1652
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\SysWOW64\CameraSettingsUIHost.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2052
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\SysWOW64\logagent.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1824
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\logagent.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:1108
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\gpscript.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2084
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\SysWOW64\gpscript.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2116
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\rrinstaller.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2508
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\SysWOW64\rrinstaller.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2184
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\SysWOW64\mavinject.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:748
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mavinject.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2376
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\SysWOW64\provlaunch.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2020
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\provlaunch.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2008
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\SysWOW64\msinfo32.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msinfo32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2720
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\runas.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2820
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\SysWOW64\runas.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2536
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\SysWOW64\mstsc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdiagnhost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2260
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\SysWOW64\sdiagnhost.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2544
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mstsc.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:1536
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1476
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2164
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:2156
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2964
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:2428
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1624
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2396
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2484
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:2588
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2136
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:2492
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2940
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:1236
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2652
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1556
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Modifies file permissions
  PID:2936
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2444
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:1516
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Modifies file permissions
  PID:1592
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:1252
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Modifies file permissions
  PID:1832
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2388
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2036
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:2488
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:1040
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:284
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2724
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:2648
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:1756
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:2832
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Modifies file permissions
  PID:2640
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:2016
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2300
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:828
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:1604
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:616
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Modifies file permissions
  PID:1576
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:792
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2200
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:2088
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:3024
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1408
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:1508
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:528
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:1580
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2644
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2320
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2096
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Modifies file permissions
  PID:2988
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2856
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2236
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:2992
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:3064
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2944
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Modifies file permissions
  PID:2656
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2336
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:2852
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3032
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:2584
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2948
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2972
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:2952
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:2464
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2568
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:2024
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2848
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:1528
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:312
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1036
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:344
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1264
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:2604
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:1000
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Modifies file permissions
  PID:2888
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:2700
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:872
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:3040
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1452
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:992
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2188
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:936
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2696
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:2348
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2028
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:1948
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:1440
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:764
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:892
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:1544
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:568
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:1100
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:1708
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:692
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2324
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:2512
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2932
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:2268
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:3056
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1840
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2224
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Modifies file permissions
  PID:3076
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:3104
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3148
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:3112
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:3172
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:3196
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:3212
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:3232
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:3252
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3296
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:3340
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3364
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Modifies file permissions
  PID:3404
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3388
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Modifies file permissions
  PID:3372
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3436
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3464
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:3500
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:3520
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:3552
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3568
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3576
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Modifies file permissions
  PID:3592
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3632
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:3664
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:3688
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3752
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:3740
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:3872
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3784
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:3776
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3732
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:3724
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3712
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:3704
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3928
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:3956
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:4024
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:4000
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:4044
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:4060
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:4080
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:1456
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:1940
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2956
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1572
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:3268
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3400
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Modifies file permissions
  PID:1608
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2560
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Modifies file permissions
  PID:3676
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:3952
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:3640
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2612
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:3868
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:1484
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2780
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:3572
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:2352
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1064
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:3432
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4108
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4132
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4152
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:4180
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:4212
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:4240
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4284
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:4300
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4328
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:4352
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4372
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Modifies file permissions
  PID:4392
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:4428
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:4440
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:4492
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4464
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4540
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:4524
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4508
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:4596
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:4656
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:4620
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4688
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:4704
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4728
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:4744
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4756
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:4784
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4808
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:4824
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4840
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:4864
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4896
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  - Modifies file permissions
  PID:4916
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4928
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S PTZSFKIF /U Admin /F "C:\Windows\System32\SystemPropertiesPerformance.exe"
  2⤵
  PID:4952
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\SystemPropertiesPerformance.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\rR35XAO5m.exe

Filesize
344KB

MD5
530db5895ce74b867b26f0423009b95b

SHA1
2f5623adb726e0d2dd7fc7cafaca17a5b7f762cd

SHA256
955a36d40025f5c01c6721583a9beb8c8eef3d17c95c698335713cb2ec119a01

SHA512
3f9456a0eb1b850694ec0d8a9a89eb274f99c20c4a8cb4a4b35084655aa5759689b7945f937f2a70e5b7864f7b131c785feb2ecc590954e5844b63cd222da497

Download Submit
C:\Windows\System32\SystemPropertiesPerformance.exe

Filesize
344KB

MD5
aeb0dd21b984b71d2ee95aebef5ac5d0

SHA1
45b7c8836a69ac9829b56823b683a8b75f247dcd

SHA256
e2a06169705a62daf3488f928eba68c771d34a2fb12ecd2859000faf063dab76

SHA512
187b3e4c02c35e369c900e3f2bd3b0f696a9cdbd2ecec33095115b7f667c6a5d7d223a17902260f123d014b324572abf4ec098362e9fd7bb1ab76ddbdd0e6bae

Download Submit
memory/1916-0-0x0000000000AE0000-0x0000000000B08000-memory.dmp

Filesize
160KB

Download
memory/1916-1-0x000007FEF5D40000-0x000007FEF672C000-memory.dmp

Filesize
9.9MB

Download
memory/1916-2-0x000000001B1B0000-0x000000001B230000-memory.dmp

Filesize
512KB

Download
memory/1916-693-0x000007FEF5D40000-0x000007FEF672C000-memory.dmp

Filesize
9.9MB

Download
memory/1916-741-0x000000001B1B0000-0x000000001B230000-memory.dmp

Filesize
512KB

Download
memory/1916-2827-0x000007FEF5D40000-0x000007FEF672C000-memory.dmp

Filesize
9.9MB

Download