Analysis Overview
SHA256
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878f
Threat Level: Known bad
The file 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Disables Task Manager via registry modification
Possible privilege escalation attempt
Modifies system executable filetype association
Checks computer location settings
Modifies file permissions
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Modifies registry key
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-02 21:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-02 21:32
Reported
2024-10-02 21:34
Platform
win7-20240903-en
Max time kernel
120s
Max time network
16s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\System32\reg.exe | N/A |
Disables Task Manager via registry modification
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe BATCF %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe JPGIF %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe JPGIF %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe VBSSF %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe RTFDF %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe CMDSF %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe JPGIF %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\icofile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe JPGIF %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe BATCF %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe HTMWF %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\reg.exe | N/A |
| N/A | N/A | C:\Windows\System32\reg.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe
"C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe"
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
Network
Files
memory/2432-0-0x000007FEF5973000-0x000007FEF5974000-memory.dmp
memory/2432-1-0x0000000000820000-0x0000000000848000-memory.dmp
memory/2432-2-0x000007FEF5970000-0x000007FEF635C000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\fNYSDQhn.exe
| MD5 | 041c5ee5bd19d448f029f71c1f3ea5d3 |
| SHA1 | dca087c05d161ea277274f431eec4934ceffd448 |
| SHA256 | 058c9e0e6ba29d102561ade0614098639091d1e732246862b801d7a79fb6da72 |
| SHA512 | 43c939044b2a669446e765bf55604456ed5a1c9ba836facd9b2f1e820a43957c5cece924095def3d79f048f5746d64950c0d1b93309beb36cec27424d4d1f9fa |
memory/2432-1140-0x000007FEF5973000-0x000007FEF5974000-memory.dmp
memory/2432-1277-0x000007FEF5970000-0x000007FEF635C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-02 21:32
Reported
2024-10-02 21:34
Platform
win10v2004-20240802-en
Max time kernel
120s
Max time network
92s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\System32\reg.exe | N/A |
Disables Task Manager via registry modification
Possible privilege escalation attempt
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
Modifies file permissions
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe BATCF %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\winrs.exe | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe CMDSF %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe VBSSF %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe HTMWF %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe BATCF %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe JPGIF %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe RTFDF %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\reg.exe | N/A |
| N/A | N/A | C:\Windows\System32\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe
"C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe"
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\bfsvc.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\bfsvc.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\HelpPane.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\HelpPane.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\hh.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\hh.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\splwow64.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\splwow64.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\winhlp32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\winhlp32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\write.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\write.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\raserver.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\raserver.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\msra.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msra.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\quickassist.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\quickassist.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\sdchange.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdchange.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\CameraSettingsUIHost.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\CameraSettingsUIHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\logagent.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\logagent.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\rrinstaller.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\rrinstaller.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\gpscript.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\gpscript.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\mavinject.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mavinject.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\provlaunch.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\provlaunch.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\msinfo32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msinfo32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\runas.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\runas.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\mstsc.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mstsc.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\SysWOW64\sdiagnhost.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdiagnhost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S DSEYXUOD /U Admin /F "C:\Windows\System32\winrs.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\winrs.exe" /INHERITANCE:e /GRANT:r Admin:(F)
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/3612-0-0x00007FFB87953000-0x00007FFB87955000-memory.dmp
memory/3612-1-0x0000012D444B0000-0x0000012D444D8000-memory.dmp
memory/3612-2-0x00007FFB87950000-0x00007FFB88411000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\dcBABqfz.exe
| MD5 | 3420edfa91a09a10622832a351968311 |
| SHA1 | 13465122028fd67b708444bc895db4a272b3609d |
| SHA256 | debe43a0afa037775a0f5c3cc74e744ba5ec3e82475a0ffd61179592b16e9a34 |
| SHA512 | 1f9b0897ed453b0e19559bb7ba0b254f7f5c244f834c13750b76e141bb69e3df993eb916b29190ef9c51a44c20bd6208dbdca02bc616ed0c4250b79f84bf9491 |
memory/3612-1044-0x00007FFB87953000-0x00007FFB87955000-memory.dmp
memory/3612-1165-0x00007FFB87950000-0x00007FFB88411000-memory.dmp
C:\Windows\System32\winrs.exe
| MD5 | 727be99ff9eeeaa5cd1071ee45b7f887 |
| SHA1 | 5b25c9316477555628808fd81617e1edff3f9cc9 |
| SHA256 | 05fe7f3ad7719dbc4545a8883395e3851ed506a8c7d246e9d6963ec53bf157e8 |
| SHA512 | 444e89b4eff1722b464a9e09529e905169a2624f7f8844a202e45324e947eb508c849bb51592c7c32fe6b94729e509c4360c2acc465cd5bbb1ace880bd9f0e7c |