Malware Analysis Report

2024-12-07 14:56

Sample ID 241002-1dnvysyakj
Target 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN
SHA256 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878f
Tags
evasion persistence trojan defense_evasion discovery exploit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878f

Threat Level: Known bad

The file 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN was found to be: Known bad.

Malicious Activity Summary

evasion persistence trojan defense_evasion discovery exploit

UAC bypass

Disables Task Manager via registry modification

Possible privilege escalation attempt

Modifies system executable filetype association

Checks computer location settings

Modifies file permissions

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Modifies registry key

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-02 21:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-02 21:32

Reported

2024-10-02 21:34

Platform

win7-20240903-en

Max time kernel

120s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\reg.exe N/A

Disables Task Manager via registry modification

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe BATCF %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe JPGIF %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe JPGIF %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe VBSSF %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe RTFDF %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe CMDSF %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe JPGIF %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icofile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe JPGIF %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe BATCF %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe HTMWF %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe

"C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe"

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

Network

N/A

Files

memory/2432-0-0x000007FEF5973000-0x000007FEF5974000-memory.dmp

memory/2432-1-0x0000000000820000-0x0000000000848000-memory.dmp

memory/2432-2-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\fNYSDQhn.exe

MD5 041c5ee5bd19d448f029f71c1f3ea5d3
SHA1 dca087c05d161ea277274f431eec4934ceffd448
SHA256 058c9e0e6ba29d102561ade0614098639091d1e732246862b801d7a79fb6da72
SHA512 43c939044b2a669446e765bf55604456ed5a1c9ba836facd9b2f1e820a43957c5cece924095def3d79f048f5746d64950c0d1b93309beb36cec27424d4d1f9fa

memory/2432-1140-0x000007FEF5973000-0x000007FEF5974000-memory.dmp

memory/2432-1277-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-02 21:32

Reported

2024-10-02 21:34

Platform

win10v2004-20240802-en

Max time kernel

120s

Max time network

92s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\reg.exe N/A

Disables Task Manager via registry modification

evasion

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe BATCF %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\winrs.exe C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe CMDSF %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe VBSSF %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe HTMWF %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe BATCF %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe JPGIF %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe RTFDF %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3612 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\reg.exe
PID 3612 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\reg.exe
PID 3612 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\reg.exe
PID 3612 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\reg.exe
PID 3612 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 3612 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 3612 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 3612 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 3612 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 3612 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 3612 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 3612 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 3612 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 3612 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 3612 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 3612 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 3612 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 3612 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 3612 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 3612 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 3612 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 3612 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 3612 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 3612 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 3612 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 3612 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 3612 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 3612 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 3612 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 3612 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 3612 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 3612 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 3612 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 3612 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 3612 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 3612 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 3612 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 3612 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 3612 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 3612 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 3612 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 3612 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 3612 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 3612 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 3612 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 3612 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 3612 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 3612 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 3612 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 3612 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 3612 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 3612 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 3612 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 3612 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 3612 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 3612 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 3612 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 3612 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 3612 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 3612 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 3612 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 3612 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 3612 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 3612 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe

"C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe"

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\bfsvc.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\bfsvc.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\HelpPane.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\HelpPane.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\hh.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\hh.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\splwow64.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\splwow64.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\winhlp32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\winhlp32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\write.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\write.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\raserver.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\raserver.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\msra.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msra.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\quickassist.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\quickassist.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\sdchange.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdchange.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\CameraSettingsUIHost.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\CameraSettingsUIHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\logagent.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\logagent.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\rrinstaller.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\rrinstaller.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\gpscript.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\gpscript.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\mavinject.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mavinject.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\provlaunch.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\provlaunch.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\msinfo32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msinfo32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\runas.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\runas.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\mstsc.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mstsc.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\sdiagnhost.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdiagnhost.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 28.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/3612-0-0x00007FFB87953000-0x00007FFB87955000-memory.dmp

memory/3612-1-0x0000012D444B0000-0x0000012D444D8000-memory.dmp

memory/3612-2-0x00007FFB87950000-0x00007FFB88411000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\dcBABqfz.exe

MD5 3420edfa91a09a10622832a351968311
SHA1 13465122028fd67b708444bc895db4a272b3609d
SHA256 debe43a0afa037775a0f5c3cc74e744ba5ec3e82475a0ffd61179592b16e9a34
SHA512 1f9b0897ed453b0e19559bb7ba0b254f7f5c244f834c13750b76e141bb69e3df993eb916b29190ef9c51a44c20bd6208dbdca02bc616ed0c4250b79f84bf9491

memory/3612-1044-0x00007FFB87953000-0x00007FFB87955000-memory.dmp

memory/3612-1165-0x00007FFB87950000-0x00007FFB88411000-memory.dmp

C:\Windows\System32\winrs.exe

MD5 727be99ff9eeeaa5cd1071ee45b7f887
SHA1 5b25c9316477555628808fd81617e1edff3f9cc9
SHA256 05fe7f3ad7719dbc4545a8883395e3851ed506a8c7d246e9d6963ec53bf157e8
SHA512 444e89b4eff1722b464a9e09529e905169a2624f7f8844a202e45324e947eb508c849bb51592c7c32fe6b94729e509c4360c2acc465cd5bbb1ace880bd9f0e7c