Analysis Overview
SHA256
2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878f
Threat Level: Known bad
The file 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Disables Task Manager via registry modification
Possible privilege escalation attempt
Checks computer location settings
Modifies system executable filetype association
Modifies file permissions
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-02 23:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-02 23:56
Reported
2024-10-02 23:59
Platform
win7-20240903-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\System32\reg.exe | N/A |
Disables Task Manager via registry modification
Possible privilege escalation attempt
Modifies file permissions
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe BATCF %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\tzsync.exe | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| File opened for modification | C:\Windows\System32\tzsync.exe | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe JPGIF %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe JPGIF %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe RTFDF %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe CMDSF %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe BATCF %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe JPGIF %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe VBSSF %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe HTMWF %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\icofile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe JPGIF %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\reg.exe | N/A |
| N/A | N/A | C:\Windows\System32\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe
"C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe"
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\bfsvc.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\bfsvc.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\HelpPane.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\HelpPane.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\hh.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\hh.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\splwow64.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\splwow64.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\winhlp32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\winhlp32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\write.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\write.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\raserver.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\raserver.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\msra.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msra.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\quickassist.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\quickassist.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\sdchange.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdchange.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\CameraSettingsUIHost.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\CameraSettingsUIHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\logagent.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\logagent.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\rrinstaller.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\rrinstaller.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\gpscript.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\gpscript.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\mavinject.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mavinject.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\provlaunch.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\provlaunch.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\msinfo32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msinfo32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\runas.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\runas.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\mstsc.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mstsc.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\sdiagnhost.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdiagnhost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-709689283-2055849101949842402-153643571888924940-14996632309847464711979651982"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "137857777010329804201164124771303368724-1644527247-1829017987-1103304711-1019436764"
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-264548951-1711996520-1404011878-1147037927948178777120704736150478956-2091202261"
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2004662112512727622-1108871614-435588241849605340-2128894296-257231209-1626178805"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1681973262-596833653888554449-1089427848-1693696823141320108215669703911628168038"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1445128247168385105365985226-1591265051216921449-561846817-2047314024-756471313"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1882711474-299074114-847160533-216827202-912708457193418439918957712332026437265"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1215622477-36191993818566640142147348826-443317336970560604-810888011895510853"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)
Network
Files
memory/2060-0-0x000007FEF5D33000-0x000007FEF5D34000-memory.dmp
memory/2060-1-0x0000000000D60000-0x0000000000D88000-memory.dmp
memory/2060-2-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CSWhg3ghGbH.exe
| MD5 | 1300502eccefc75f5ce8a29fc30fa006 |
| SHA1 | 5f6cddc86f21f0a355f85f23dbd086aeb14b52eb |
| SHA256 | a4af0d89a5c213f22b8e0179e7e76520fad02fc24098214c21d469ad4117721d |
| SHA512 | 6c7715ddfc68b9c74bb457b0d63df38bb9304988e7816b442f73d9246f8184e6d61db207ae63e32dc2a1e38caafa1e748085a9e445003626d6f1c491f91ba848 |
memory/2060-1108-0x000007FEF5D33000-0x000007FEF5D34000-memory.dmp
memory/2060-1245-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp
C:\Windows\System32\tzsync.exe
| MD5 | 840a59de661221c436744d41f82ee73c |
| SHA1 | 2848a676726e67ea11ac1476b84e8fb42a7a5110 |
| SHA256 | 17164a5127bac8a92fd16db540f528175d8b6a6d1a01b3d579cc2e97c223a923 |
| SHA512 | 5a2d4abf77943f00cfb02853ab44e08c8adb9703a94a5904e8d569e854fe05470dd8e75ca7afd43d574e3be1393c901927454d639b433db350d8db13a4b50e1f |
C:\Windows\System32\tzsync.exe
| MD5 | 1824f3a9bc6f80dc5cded30d1e6a7dcb |
| SHA1 | ed0625997babb8d88da345a911d6b4340f2504bb |
| SHA256 | 252af8c3918b91e6ded6afc76f620d48d009e4de89ca565e4bf483ae74def1db |
| SHA512 | bf142c4438dc2fd9e481226743c8911b2483d922b0aede49849195967b53ff874aafd52651b3a55df574d156a095bf1c47d10f7e13e22e52ac1f5e3cb95c0e77 |
C:\Windows\System32\tzsync.exe
| MD5 | 47b3d733c8bafdb1c22f75ebaaafc283 |
| SHA1 | d2baf9fecda5e8f868a329485c74d66d99b9d353 |
| SHA256 | 8f9294356883ae032b8a29401816bd30a01a9039271d309f67a3fc6b6885d862 |
| SHA512 | 2590503791e2933d0fa2dce320c4dc703e55ce1b2113ac2c5aab29061e5da2f15c481dc63141fbc9924f38db7b22d3c06890227b8bbaffa8147d2b67dddec6a1 |
C:\Windows\System32\tzsync.exe
| MD5 | db4a9fac1f33c774990eeb3b2dbd4bda |
| SHA1 | 86d8ceeb376eaddbc2b3cf44435db636c1a1ebad |
| SHA256 | 63b66de05e1df906082cf1dbed9d00531db6d650f68aacf870f8859efa683fed |
| SHA512 | 4ef44b4fa2d42c9a2243760c2d14f679292ab8d8fe09f9ec2cba6f7a581766386bcd73cd439438204201b9792393b023c4d0c2f09c8f7116bfbf8dcb4407c7ad |
C:\Windows\System32\tzsync.exe
| MD5 | 5e085a5f09275af300ae1b468fa2ca6d |
| SHA1 | 5775bc3a3dfc4b8d34f983251f5a4f73aaad4554 |
| SHA256 | 2f9376d3d86bd2167d32f1d1536e58de2599e078ef2f50341954716f2175014e |
| SHA512 | 4d4be82cc2a5cc06abd4471a8df6e1dbfcfbe71ae28b16e48b57db2411beaf102feb353a185f3a97afe1e250b813eaf88628729d9a4ceaca1ff805fc17bf36c5 |
C:\Windows\System32\tzsync.exe
| MD5 | 7e361b2f6e4d368c36a7779a471c935c |
| SHA1 | dbcabd71717d9a7429743d95c60a436e10919e96 |
| SHA256 | d8b5cdf16b9725fc840e7d56d28100b55e95a256ebfeec15ff1bfe35ea43845d |
| SHA512 | f984605c7709aae617a3835a4e5dfffa548a38a018e12423982fdc11e5c85df887e126a03ea5994cc9ad3dafa07cd261ee1a9364bcffed94d8becda455cf7346 |
C:\Windows\System32\tzsync.exe
| MD5 | 781477b19c90e2d8d057ac5003d8bf54 |
| SHA1 | bcceb3fa1c4c4f11808569baf55622e368115827 |
| SHA256 | 874cb622f1cb21f07bbcac6b49156c1eeabc9931370f54290b511ad087f7d187 |
| SHA512 | d0758e05df2c73b0cf36badf8bb9bed681f22a76c88173e913029b72ecefde1e79c304cb782e07de521f47c314218f0897a8cca60dc0f2f2681f8a74368e302b |
C:\Windows\System32\tzsync.exe
| MD5 | 5c0ce0d624fff6d8298286c5091bbc40 |
| SHA1 | 949b86014298e4250356ab29f557c1cbaa7140c5 |
| SHA256 | dbd1a7a63228864c236a833da1b1b4f5e62c9a2040c3fd66d7a3ebffb1ddd787 |
| SHA512 | ae3b77af46dcef4b549d4d635c198bbf7e9a8c173360865ad99caafb078b3a3e219c160bb3aaf2405920c8603c2708ab71a29928d98774aa9ac6c2c1d1a71bd7 |
C:\Windows\System32\tzsync.exe
| MD5 | ff6f328f4ed363e8d56fd0aad781a198 |
| SHA1 | 34abd0f126ca5eb950df14159db382eff09a753b |
| SHA256 | c806b029b7b3bada6cf411f111fe1b4fdbdda675b8fdfedc98f4171641daf6fe |
| SHA512 | dc05949b969ca3e7e08b138aef4c3baccb7f08161d8bc2ac8d0a2a94da94b8c5acac0cc5cb79ecd7ed40834410b51540c94f3d1be9b675e30cc33ed31ee224ec |
C:\Windows\System32\tzsync.exe
| MD5 | 68693d4017b733afba4b1fbf47ff48c6 |
| SHA1 | 6993dd8f0d6989f261c47579ed70c03f91d98d2b |
| SHA256 | 5ee8ea9d277bf7278b1b68c9418dcdf97db27698d9917e0277bd8dcc555544a2 |
| SHA512 | 9f15f4dff9938d24512cae01f586e8f265e51c1f4f691398ba44a5f6aabc462b24d8f27e9a2cc6b67a05b42b86d45f77292a2242ff6df74fc17b2c9a6f207350 |
C:\Windows\System32\tzsync.exe
| MD5 | 6f6966554fb8724f22a754013f76568a |
| SHA1 | cf56b0c96f665dba26d9f6b8091cfda4347f368b |
| SHA256 | 1b3e501e39d94797f194d3dfac8b9e87ab7e2e73a579b2b130d28472e4efbabb |
| SHA512 | 9a4804d189feacb7f4011865913b07cf2737e4e76acb67ac882fc651f01a28ead0e1115ad283a2faedf30b4eea2b4767130104ba22c4b0c0f4718951fc42837e |
C:\Windows\System32\tzsync.exe
| MD5 | d1718b06fcf282223d83dc960d8e7603 |
| SHA1 | a399fd3cf970bb86f980b4750d2c333c6149a2fc |
| SHA256 | 60cd343425d7b44a5c92a17bfbbcb7054350ee82a43f024fbfe28032e7711071 |
| SHA512 | 8debd5b7717c8c80bbec490e5e73e668bf400c47afbb8ba25ded640046bd93b963086065305fd067f20290701b221642c8a572f63a254e66c34cdc3dece069aa |
C:\Windows\System32\tzsync.exe
| MD5 | 0a5ead827c6bb13f7252fa02872436f1 |
| SHA1 | 784a3ff7a2b1a1f96d2c1b67c141e21a2ac7faa4 |
| SHA256 | 6f1d6c5e3c0110e6b658f8db6938a128b6d51f89dd8e8a74e13c03e7c01b1770 |
| SHA512 | f4146c306ee5bd226bc6e60a294d19ef0a544dff9a4f27faffaa4059a9dcf05598184afef31cdb999b064c893ca484d8d6e6ebdf1e990ceeef56c6a791c440a1 |
C:\Windows\System32\tzsync.exe
| MD5 | 588fd91751d91026a9c9e2a12394ba52 |
| SHA1 | 4c29a70f524a31efdda82ff19a306d70ad558a39 |
| SHA256 | 290e0c25c07bf76c506cc6232051c7ee8c4976ad47e71ee11157e558db940c64 |
| SHA512 | baa8056853869c528a8de1d2e36c6c495dbd725cadd8f5447ba1b0c17826e0dbc49e5a8d32a558c9dd7c5ae045b7d52b67b6fc633688f31ddd781219546b0a98 |
C:\Windows\System32\tzsync.exe
| MD5 | 07226451583c123c9a407a28285a3046 |
| SHA1 | ad6d98808fc5022f5b80cddfa961cac010fb62c8 |
| SHA256 | 34c42bed1adc7ce7249b858d973c582bfbd5aaaff22e06062badacb6a845b702 |
| SHA512 | ff8b6d730043487be090c727cc052c8d7a45095165be0041c41f6321105ae0aa5e1a2c091caa16dbd9d976f4b301ab6b9914a73172ca2e247b7913d19824b4ae |
C:\Windows\System32\tzsync.exe
| MD5 | 4499f3afd4e4643ec87a68fce0426d83 |
| SHA1 | ee525a5926311f2e6350768e1ba83b47429e0db8 |
| SHA256 | 76e0ca278f5749d7f2a60f4bebb999479de3ab4c60a36d47f39ddd4c30dc21cd |
| SHA512 | b5bce6aef246bc74929299b54232af3f9a1bdef783b1873009b67046fdadc07d3b7d8e564845c0b03dc9c3a6c7f3bff6eeef68c1af8aae4ca02c4e5a12df5d43 |
C:\Windows\System32\tzsync.exe
| MD5 | 831f82b91ea622dea77ae381b17b727b |
| SHA1 | c3289d0633b64a4ea8f59484fab1b5b39cc36aef |
| SHA256 | bb3a35a81709c141083a51225a92a9558ed9b562098f75cdb4ac49299547669c |
| SHA512 | 014cff999b35dcbe90354c8fb21d598d9d1fb5421b1ab3b15a1a7ac9a520d6299a893728dd642d4c27e5e191cbeb84f37a8185203852e017c51cf9947599210c |
C:\Windows\System32\tzsync.exe
| MD5 | 6550480b62a7c28c72034d2b82b16f3f |
| SHA1 | 2400ab543720df935f93e6270b4a00feaf17a7a4 |
| SHA256 | 4e3f79772a4249b279b4ffd41ca075b93a5b76e59dd8aeedf33047456adfa987 |
| SHA512 | d2987c99a1b6d325768d1d5a632d34edb621a75f4bcf790dda345aa3cc0a9710000ce53626ba70215bc81ce37145c5718ede0d318c5751b2b05e30cdf26fe1ed |
C:\Windows\System32\tzsync.exe
| MD5 | dff5cc23fd991d14eb8c1f3a005b498c |
| SHA1 | 258c76df6e986ac2b44a5ccbd3bb5a0db9b62634 |
| SHA256 | 09aa59fd31c2e011f926be38130fdeab54d77f6baaaf7029d1648a44244902d8 |
| SHA512 | a726dceb847cf95ea05969d5547c4645d742c5156dfbfd9cc8e115fc534723309b7cc7d42c87ab16d124c4f4c89a8796272968906202eadb1e82bd604acd831d |
C:\Windows\System32\tzsync.exe
| MD5 | d020fe42c0afaa9a4c580e576d640537 |
| SHA1 | a6631c9db9019031d9654fa643e198268f6c1275 |
| SHA256 | e4bbfebb36a0a31f626fa8fa38a51fb07e409f4d472e06c7157cb285fa0eaf6c |
| SHA512 | d9f53a83f084bf0df2332d2326145925c7c3d2865d67182689cdef4d5493a7ad6039198c38b5e48ea0efa2ba5f0440e84ece97c830aea3c305f3bd56b753c8c2 |
C:\Windows\System32\tzsync.exe
| MD5 | 51a1f1d81e85af9df8f2076d2906a38a |
| SHA1 | 386cbf62aee3f182c6c9ce321e8da77d24a7b55d |
| SHA256 | 27acac566391b0af746d360d00a033bcc074dd0eb3682c15658c518e9086eedb |
| SHA512 | eaa0cbeb93b3b383fb64086a84dce713ce1803df323b3e3f6128cd6ede53cb60aa207fb9f4de6a5694aedd6edc81b685f7586f514feb73d24af018ccf811fd48 |
C:\Windows\System32\tzsync.exe
| MD5 | 2ba8283eb9f80171d9017e72aa2c13de |
| SHA1 | bf23b8babc9658a444601e77e27757c338c4fe78 |
| SHA256 | 87d9351f74d71e65628fcdd02c90421ad4c27ca9a6a6a41b10eab52b5de45c16 |
| SHA512 | 8596f75d0e63eb4ec0f5a5d6cc710663e7905b4bd34a57a6a1f1d5ebf4dbbacdf9a5c12c3915fb5531f8bf218024176ae16b910ce7b3776e35c87ebe806f3dcf |
C:\Windows\System32\tzsync.exe
| MD5 | 2d6acb37e8de5ca58d772bf3c47edfe8 |
| SHA1 | 63e80ae2d8a1bbba21b94d9b5dd091b2e66beea5 |
| SHA256 | 80908a11b78414374e599d39c08e37db9370b78f233336edd23ab4b3143ace55 |
| SHA512 | 95a76af40227ca9b2b3f1b30c43a3c52ca7bfebab574780a8f7ecdab7cacb5335424948a871e2db85f88d0b5f034c83b3584911b307a85562cbb13e37330dba5 |
C:\Windows\System32\tzsync.exe
| MD5 | 2cc33c4262c5cfb142ca3f564ba94114 |
| SHA1 | e12ced3c7e36e165f7279dd3766ff123f013b632 |
| SHA256 | c8617e2b2a6aa718e88d45e8d3fb9c2e50920a9a00f669c71956e7d6fbb4b3ab |
| SHA512 | 76698b4af16f4035320f50968862c7a0f29646e381c028f71c564a2172618e38b7e11f422b201ffe11aaa010c4c93c66a5a9cc67e56d64abe52016a31b5a973e |
C:\Windows\System32\tzsync.exe
| MD5 | dc0f208f38e1e19029eca1c0c8146e73 |
| SHA1 | 2b3e6dceb524f3b57eff3cdb4fc1730743698106 |
| SHA256 | fe83141ca416248aac51cc6e2aae72fd3f08d66cf4f8aef1237d8ef8c72e1d1c |
| SHA512 | 7a5631d6e19fcf10a98158a5dcfd78aee5cfbea9bc6f129eee77095673c023bac00e16622b7420b2f1900604cafc0e122b7ee8bc3188c43c520d5b89bb2fb477 |
C:\Windows\System32\tzsync.exe
| MD5 | 8b5fa0748b46f1e08f063ac6ebf4081b |
| SHA1 | 149ca6ef30311f04c08ef4fcd8ea58d6ebba3e1e |
| SHA256 | 9b460ff0147b10c42f7b4acc77e60157f246e6584d00f3430c2b2d557078d058 |
| SHA512 | 945a664729cf06d1e9abf9eb75e4dadc82859be6ae8a6e25667cb46bf1bfbfe5421e39e10e4226224a93d3814cdeb794221d5b20164f861149e17a02e2a3afdd |
C:\Windows\System32\tzsync.exe
| MD5 | f202f10b77eac6bbb94ee33cfd0f6131 |
| SHA1 | 3b21ca3d197cc96dc0753361e1e8eb68543b5046 |
| SHA256 | 2afba7d3130fe417c6521550f6ffebbb123fc44136e9382ae5d99b5173060127 |
| SHA512 | d226cd059b44f179dca0cfd25f9fe99b9e771eda20440707e39e58968e7d90d8106a119a84738aba4078537c7968e3444f5deb5fed79b384a21085b699ded239 |
C:\Windows\System32\tzsync.exe
| MD5 | b0d8ddd3c56e9131055524488fea1cf1 |
| SHA1 | 9f3ecd4017ccd985b69c81eddda0d67b5ff5917e |
| SHA256 | 9ed751ed447e5d00c610226fe1e9cce4d4116a8990aaa707ec3bf67bec9b30a3 |
| SHA512 | 41e5e9c7085f2638a9f00357265ce5e70ab2ee6b6b4322b650af757194cd6505a0bf2ab4cffdfc905620d9d2fb756627867f12001af92507bcc105d6f83ab656 |
C:\Windows\System32\tzsync.exe
| MD5 | 5e4fc9659208ee020215fb2a239119ad |
| SHA1 | dea15285b625344dce183429a922b6c8e9e5b427 |
| SHA256 | 5afb14a1c24ec5f384bcee178b7ab6cf880bce10173627965d5c666832f07bf8 |
| SHA512 | ddadf42fcf9edf6ff326734569ca75dc50434c2246829b77f713ac63159f019b1cc42675f25c1905f6b5da91585f0e825ab262942e4f423b0b9ea2878031d0e8 |
C:\Windows\System32\tzsync.exe
| MD5 | 5fc18e4286e08845d96592c0c0d7f2f0 |
| SHA1 | 0871954c304abc20af40ff58294c8d5c65374107 |
| SHA256 | f45ea564b8c47fcbf3a25c5be24586e51705f2ecea50e984408bfad58dc00c25 |
| SHA512 | 447702d2d926b066cad4ad1ad04e287a45b0d668031cf07a372e8468ae320446a38c008c2833612d5f053c56f17a0a398668b93a420e48399200813964a924a6 |
C:\Windows\System32\tzsync.exe
| MD5 | 1815d1ec57fd7e5df232099c435e0451 |
| SHA1 | 1ee650dfebf6cf4d068cd3330d8a82070681e09f |
| SHA256 | 892e390a6c6bd2fe25dc87b1bb4f54366b4acfeae8cbd62482ae6066f8856d33 |
| SHA512 | 0962e0b96bd5410fdc1271226b3444e544807e1e94778fe9db29ada403c1f3d90b6976ca43abd958656a571ca3fc278c3bc8825b030f60aeb0044b2b2c4218b3 |
C:\Windows\System32\tzsync.exe
| MD5 | 9ba9f001a50d09b69fb429651a91b5c1 |
| SHA1 | 52ee803c10e681bd521fa307d101262304a28113 |
| SHA256 | 96c9563b12657ffb5695a436d9d9b9ff5ff903dfb3316dee63b454173cc8316e |
| SHA512 | c164556e23e33eecc759c5c9429de2df1e9e34637c7e9d14b07c6b23b805ce1a4d2dd1b9d91ed8435f76ed30e41fa226f04ae6fe06641fbd0667b9236174dd5f |
C:\Windows\System32\tzsync.exe
| MD5 | ac5403a8b9a4aff115094c8c253d011a |
| SHA1 | 1075cfaa2782b7c4310dc16a7cc5d64f796af159 |
| SHA256 | 65e23fc57b76b7b709f0129dc12f93df5861e7d796e19e8ce1ef5afa83449d88 |
| SHA512 | 25ce6e0df5df80adb944cff47264ad1969e9b71b7885cdc8d29eabfb71b730fc59ea8a0e982ecc179ff2fc4bad1f6fb6f12a4edc2ad643fa359de220dc130922 |
C:\Windows\System32\tzsync.exe
| MD5 | d3c9cd3bf70e51d3e9b328c7b9d0b304 |
| SHA1 | 8ecf7a0e1e030d100179530c06c3e63420a14c56 |
| SHA256 | 6bddcb86f0e114de7940cacaf0b3457452e99d50651836a13d3e50c9a9eb6b63 |
| SHA512 | a38ce8d50fce9f98ac5a5f9442ed4da2173d3c7f8e0be06064ce117adb3b5ca962ba3d923be052e99c35fb476e04a71531fdc724e4a5fd69a981ecdbb31b2230 |
C:\Windows\System32\tzsync.exe
| MD5 | e1bd79e71cf203927428c12ec0c664b5 |
| SHA1 | 150b45d2e580c63f607b0c4a10635d92cd6d6a1b |
| SHA256 | 7b64c9cc1bc540c3c18208dec3f0cb3c96fd3494634a9238291faa229dd732de |
| SHA512 | 9834b77de6a9ce26c46b9bdff8f021fda81e937bbda6c438be10728efd1b722a1cdb4c588361fb62d69c35844c74ab480a85d408d0a5d97729806fcba6555f3b |
C:\Windows\System32\tzsync.exe
| MD5 | 3359ed8912e2faf9eb658c93bfed5e32 |
| SHA1 | 55bbd71e4c938b75f780d3c883b6825182448ac0 |
| SHA256 | 854b8b5c69b7fd2bc98b880d8dbefbc5c597e93574cdb5bbcf46f5da0514a7f3 |
| SHA512 | 91847765bce53410941b54a0a588f432c088e7f02b2af1459fef103ff21c803432d0c4b963e42372f2b27c17e38483420384f87b4deae80fafa8327ef9ca8613 |
C:\Windows\System32\tzsync.exe
| MD5 | 0cacb14acf616ce369bc4a1060e9e2c8 |
| SHA1 | 5d6d6277815eda65a9254095dc5fc9b730a27c95 |
| SHA256 | 50f3222d7e4ea849c2851f6912321a146ca5751c0c3836d72d9a5db2b5bfdef3 |
| SHA512 | a3fa6bd87b31be9cee78cbcd1bf42a7d7f01972fce22eeef8bca12c21c4ef0de1ad980588f4227badd33261ffb46d430b4d04be2ad98b2ff6b471856c4513ae8 |
C:\Windows\System32\tzsync.exe
| MD5 | 5b93692cd2f48807968b7be1acce095b |
| SHA1 | 66d438205261cce61d7bde3f029ff697e33071b9 |
| SHA256 | d2e09f66b3ccdb0584249d61f2b6806fe9b10a30998311f56ebf5df775ebfc31 |
| SHA512 | a9d3fd8d5f901b5c00130baab0d3bc99bd41ee2241d34a395cba00c1f1854972eeb406053a30fa6b74d56816f954ca241e96928029c737fc2edffeac4dac1168 |
C:\Windows\System32\tzsync.exe
| MD5 | 723659186ab13cd1077170ae7cdb2750 |
| SHA1 | df6d8195cdf873a9e0ff644a5875446f24b310e7 |
| SHA256 | 6abf71dca4d8dcb39783936b5471461564bb3c2bd85212bb6ed29aba7f93f046 |
| SHA512 | 7baa0c0a93ba11b3c765cf8847cc7fd6ccf94b7d252cf307376dbb6615058ce444d8e6dad2e878a0025140e74035a1e27782f5df3da2d7d63a1cacbb7715b03e |
C:\Windows\System32\tzsync.exe
| MD5 | 15ef8fb25bc7248af9429a31b11ca47a |
| SHA1 | b5d52f363c40244e27f94ed431be85f782c654f5 |
| SHA256 | 03e78bef19c8166d92028fc5b3f6e202fb1006bbdb03afce022783a2b4658b4f |
| SHA512 | 4d7a1c3ff1d86059de25faa4a975d9e3424512637a7aead82c6f8cf607c6eac383ef44bfdf8c1c6c4a1b1e5633c9b5755ff30794a06250587f3c507eaf6efe4a |
C:\Windows\System32\tzsync.exe
| MD5 | caff06665b414ffbec6cb1c17b0376e8 |
| SHA1 | ed00ecb925a3c78598f6880bbf8624d95abac792 |
| SHA256 | 2fe3324d358a4fd8d9f324f8783c3291390edbdd1e651ecfe193ea86880b6dba |
| SHA512 | 91b0e7451e27c649daaa0b8d20c462446266cb64a1fe5b72b674458deef0cc703f5a39aeb9bacaf86b419e82075fc7189728b96da71b94616635994ac71e0d38 |
C:\Windows\System32\tzsync.exe
| MD5 | 9b7cdd763326d50a7e953618b26855d0 |
| SHA1 | c8461889c94d549e1d8e24344e7a4da60d1329bc |
| SHA256 | ad3af7dbdefa2f26f046bfd189bf901b84f5a01fe5d097d93beb2cf5504e8e4b |
| SHA512 | 81bdea7f5b5cfc7d666fa8ff5daccfb0388649374c834aba109ec79b713192b07f71012b73c1fcf1026e63405cff791a6cd3b57a4baa68ff2b18c662daaa6c74 |
C:\Windows\System32\tzsync.exe
| MD5 | e3e47df11088c6c8aeefe4068a223354 |
| SHA1 | 3b373646383b2285c0f9231c266c8838f8bf0187 |
| SHA256 | f252ce980d3c2b54d85642c46acbff84840ec1ec4408c94dedba3d14ddfcc468 |
| SHA512 | 857ed92c7be29c695f5234f082cde15b1e8c7b2dafabc24230fdc7bc38955d152b66457bec7b1d71d4745fc72bb4990c1182b8884d68d022bcb41873865317ee |
C:\Windows\System32\tzsync.exe
| MD5 | 5253dbbbf09b786168572ce8f816848e |
| SHA1 | bd0ccdbc47c2a51f180f822fe3c45f32e3f5da99 |
| SHA256 | 718015309d982539d1dff52bd0c579f7810095b3dbce7110b73170d21e37cc92 |
| SHA512 | 305fb7e9f0e411c3f45527413c30c43f7367da1f151ece043df4c7a955610f9e631fc465e3818b153dc0a4204716326aa76383244e8d7ba3b117990d5c31a2a6 |
C:\Windows\System32\tzsync.exe
| MD5 | 33b6f7e3802c499a666ec7aa1438e9de |
| SHA1 | 7736e7c82d1712ea91099303e1cd9a3557b34940 |
| SHA256 | 9a829010c4edb27cf04060befbb2d09e2fb299b4233a401879801d05b364fd1b |
| SHA512 | e5c64a36dadfe8398f27dfccabcadbda7f99607702fefdbd7b2f9ea4d5e809387e36621cc6579e02ca329e18d29fd88a4bec21ad04fa12a7c007f53a778c4bbc |
C:\Windows\System32\tzsync.exe
| MD5 | e6549419e3106e4712fcbce8b9a77def |
| SHA1 | b52cde158fd7e09d103585772e3607dc3de28d5d |
| SHA256 | cad5e8f95a73908015800788aa38e38780bb8b231b19b6e475e488f64f4905b5 |
| SHA512 | 3fb29f6c098b1264ecf81f715bc13f31cdc73efc62ebd134e7d831efe478a60dacc1c2a79176264b95807d3b85dfe99d66d00e8222756bc9485a63b4a64bbc89 |
C:\Windows\System32\tzsync.exe
| MD5 | b887f25e5ef5f19e3eaded20739ba5a6 |
| SHA1 | 908253ef2b0e7c5e1a1bf4b69ffedaee04c45556 |
| SHA256 | 27ff69ad95f381790c11bccfa14889bbdcf409ec2f1548d5192e152f40f065de |
| SHA512 | db31878944fd416186ca8bbbec33a64a04007703d308213e84399c2662b34b1571b4c7ce55a0cab25fa776b6783bbcf6fb1a204eb6dc68234350163645cfc416 |
C:\Windows\System32\tzsync.exe
| MD5 | 84b602f461bed41c12f237aabfca17e2 |
| SHA1 | dec2ad048a73ae97686a75538a17ffa5d045453c |
| SHA256 | b1378a409965f5408a9ef3cf330ff1a60edd6af55457a0c577aeb6689bd2c297 |
| SHA512 | 0650e273bc0b70b809c63f153becb0be5a3416fd68be59d7d0122df005147ee2406103fd663247f856c45e10563bf30474c0589795339b07f8611afc3571e9ff |
C:\Windows\System32\tzsync.exe
| MD5 | 1a75cca69eb8800696c4bfda46465458 |
| SHA1 | 445ba9908fc072fda2a63acbe71b227231325983 |
| SHA256 | 9acaf5ab49b812412f35618f2257e44b0779451afbb593fa7889773d052e4928 |
| SHA512 | c8e8d2f574c152978c72bd53b081001f14636a6779b47ad583f89ffaf9c3e60b432091b55c7c80f278adb01f086935d191d764927f86732b4e40d2753e75ba15 |
memory/2060-11530-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-02 23:56
Reported
2024-10-02 23:59
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
95s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\System32\reg.exe | N/A |
Disables Task Manager via registry modification
Possible privilege escalation attempt
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
Modifies file permissions
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe BATCF %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\wowreg32.exe | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe BATCF %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe JPGIF %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe HTMWF %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe RTFDF %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe CMDSF %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe VBSSF %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\reg.exe | N/A |
| N/A | N/A | C:\Windows\System32\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe
"C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe"
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\bfsvc.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\bfsvc.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\HelpPane.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\HelpPane.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\hh.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\hh.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\splwow64.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\splwow64.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\winhlp32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\winhlp32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\write.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\write.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\raserver.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\raserver.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\msra.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msra.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\quickassist.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\quickassist.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\sdchange.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdchange.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\CameraSettingsUIHost.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\CameraSettingsUIHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\logagent.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\logagent.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\rrinstaller.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\rrinstaller.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\gpscript.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\gpscript.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\mavinject.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mavinject.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\provlaunch.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\provlaunch.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\msinfo32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msinfo32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\runas.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\runas.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\mstsc.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mstsc.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\sdiagnhost.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdiagnhost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/4432-0-0x00007FFB88243000-0x00007FFB88245000-memory.dmp
memory/4432-1-0x00000143DF690000-0x00000143DF6B8000-memory.dmp
memory/4432-2-0x00007FFB88240000-0x00007FFB88D01000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\myriaYcFRu6.exe
| MD5 | fdd37962a54814f55dc56ef6e4a062af |
| SHA1 | aa2423c8a3a207f607fd03f02538dbb557e69e3c |
| SHA256 | 142a2027b957a97f2f723b605a2e2a95586dbcc54ce3a6215b0fdb04b1d047e7 |
| SHA512 | 5d4ba43c9f88c42b2321baa7dce849d1da8472ee4bba694134f4045300210ae5a8ee4b3789491f2c20b15e0e19f13ce9a3b52358256dcebbdd2dfe7117ec3ba4 |
memory/4432-1334-0x00007FFB88243000-0x00007FFB88245000-memory.dmp
memory/4432-1505-0x00007FFB88240000-0x00007FFB88D01000-memory.dmp
C:\Windows\System32\wowreg32.exe
| MD5 | ccde813d93df0efc54e4a346df173075 |
| SHA1 | d2211031e75c1b2c8499cc6320499fd97dbd5819 |
| SHA256 | e26c0e4c063a840d34212f0973816ae4bee56e92a52a0ece8c2cf765d079e1bc |
| SHA512 | 4b5ea53fabc7edf037e4b4809f68d5120a58395c27def5529af5a06d92c50b2bd98dce540a4aeceb4690b2ae2481f4857d411a42227adb087b11427f180e859d |
C:\Windows\System32\wowreg32.exe
| MD5 | 36549e81f1ad0a1fde7a0f1ce6ff37c8 |
| SHA1 | b25177a72bd9901d52bb3a2e6a0c996a7acec7aa |
| SHA256 | 7445a962f7a28a1364e87a1c01c5a4e9a60a02e9bf20945f42f80b3b8b96b99c |
| SHA512 | 47d5b15a86c99eeb09ad30db9215daccd1bf19a7562ea49328a61cb8a81269d8d5108a36fe77c7acc4774a67df0e5865166c00fc68dd2b91cb2cff2ed726d44e |
C:\Windows\System32\wowreg32.exe
| MD5 | 0a5ead827c6bb13f7252fa02872436f1 |
| SHA1 | 784a3ff7a2b1a1f96d2c1b67c141e21a2ac7faa4 |
| SHA256 | 6f1d6c5e3c0110e6b658f8db6938a128b6d51f89dd8e8a74e13c03e7c01b1770 |
| SHA512 | f4146c306ee5bd226bc6e60a294d19ef0a544dff9a4f27faffaa4059a9dcf05598184afef31cdb999b064c893ca484d8d6e6ebdf1e990ceeef56c6a791c440a1 |
C:\Windows\System32\wowreg32.exe
| MD5 | 83cba40e6aea8cb582a53c8b772a0413 |
| SHA1 | da36f9bd8290c62c4e0dcc5d503d74618759979f |
| SHA256 | f485d1c36ef4591406816740d211d5297bb569ce597b085419364cf469bf57de |
| SHA512 | bee5e7340563b3e8f8954fbe4ac95b082e72a83ddbda0b42e2ea0cf0092979105da24c04ae79f283abba5cc0b39aa6d47b31431aff3ac3c869509cfc1d9dbd00 |
C:\Windows\System32\wowreg32.exe
| MD5 | a7705c19fc5518a70d1bb7cadfa74143 |
| SHA1 | 8ccd866cf63cc2750b5ea922672183d6169d96f9 |
| SHA256 | 3f35203bb1a9e4cbbab5d0a6155092d49b4e2d3be52e400cc08447cca646955f |
| SHA512 | 4d4a5917f32190538c25cb27aa5285078dae109eb6916dd592a2158b832209133a88b5fe77859b607f84fc25e5b47f5f7dcfa014e5753414862864628ef4f09c |
C:\Windows\System32\wowreg32.exe
| MD5 | d11574a983488bcc2ed5803e2e0d9a63 |
| SHA1 | 80548f16bfd4b21981a313f53e7e272e87042215 |
| SHA256 | efae7ffd996075719e4b562b202ca2fcd315c02e9fc9bb247bc901b48f69d619 |
| SHA512 | 968df18922bb277f78247b08bbce83338659c885cd25c22294a695ca7d203a39f7a193ff480d7ee84f3b1b119b549d4896ad03432fea41d796dc5a4d3ce248c9 |