Analysis Overview
SHA256
adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77
Threat Level: Known bad
The file adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Possible privilege escalation attempt
Disables Task Manager via registry modification
Modifies system executable filetype association
Modifies file permissions
Checks computer location settings
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in System32 directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Modifies registry key
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-10 15:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-10 15:42
Reported
2024-10-10 15:45
Platform
win7-20240903-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\System32\reg.exe | N/A |
Disables Task Manager via registry modification
Possible privilege escalation attempt
Modifies file permissions
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe BATCF %1" | C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\stordiag.exe | C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe | N/A |
| File created | C:\Windows\System32\stordiag.exe | C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe HTMWF %1" | C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe NTPAD %1" | C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe NTPAD %1" | C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\icofile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe JPGIF %1" | C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe BATCF %1" | C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe JPGIF %1" | C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe JPGIF %1" | C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe VBSSF %1" | C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe NTPAD %1" | C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe NTPAD %1" | C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe CMDSF %1" | C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe JPGIF %1" | C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe RTFDF %1" | C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\reg.exe | N/A |
| N/A | N/A | C:\Windows\System32\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe
"C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe"
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\bfsvc.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\bfsvc.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\HelpPane.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\HelpPane.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\hh.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\hh.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\splwow64.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\splwow64.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\winhlp32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\winhlp32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\write.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\write.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\SysWOW64\raserver.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\raserver.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\SysWOW64\msra.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msra.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\SysWOW64\quickassist.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\quickassist.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\SysWOW64\sdchange.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdchange.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\SysWOW64\CameraSettingsUIHost.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\CameraSettingsUIHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\SysWOW64\logagent.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\logagent.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\SysWOW64\rrinstaller.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\rrinstaller.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\SysWOW64\gpscript.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\gpscript.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\SysWOW64\mavinject.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mavinject.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\SysWOW64\provlaunch.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\provlaunch.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\SysWOW64\msinfo32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msinfo32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\SysWOW64\runas.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\runas.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\SysWOW64\mstsc.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mstsc.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\SysWOW64\sdiagnhost.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdiagnhost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "120839374-367117722-2060742768144387948214353184922030831895-1007722331-1868571432"
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "976119717-1221544081721948058485745835299664124569137448167989005-979890006"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1392364366859130352248393155-2584578047116125181051970474-2039034854-655957556"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1940624636-392435160-550185710129012166-54347679635329101569310007131860601"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-108151398153832787-992284616-9197500151709581483-1192210948-8865977141884298329"
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)
Network
Files
memory/2084-0-0x000007FEF55A3000-0x000007FEF55A4000-memory.dmp
memory/2084-1-0x0000000000F60000-0x0000000000F88000-memory.dmp
memory/2084-2-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AuF8OrQFZQe.exe
| MD5 | 6ee7bee8dd7e1c5a8897f58c33b9fac3 |
| SHA1 | 45f5551a38ff1c0c60ed63be5dca267bb65238e8 |
| SHA256 | 080d787304db0ec177e6a086ac318092723486d558d36d66f505ea821f5842c5 |
| SHA512 | c1a1e90b4dadedd8b031e4b6fdb249d41ababe62cf4101dd018e8fab1008d207b7eba1beb54163d37ced355568bf757186bb152bad004a3cbdac3232ecab0304 |
memory/2084-1136-0x000007FEF55A3000-0x000007FEF55A4000-memory.dmp
memory/2084-1269-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp
C:\Windows\System32\stordiag.exe
| MD5 | 749c23800de277b79a37e6717d33c05a |
| SHA1 | 5efe3f5c2f981c486350b40916459ec3dc05eb70 |
| SHA256 | 4cdce1f56a6d63e7c35d9c32265f131143328720d04c89ab821caf2f63ab4c93 |
| SHA512 | 97814d9c043938f7987e75e55e107210f498bdf631fe3eff0673297b02cebab70e82d3fab448c83caf9c0475173be3c2c67b956d448208ebe71a5b466f74f7ed |
C:\Windows\System32\stordiag.exe
| MD5 | 423a2bef39ce629cd3bb01e21978153c |
| SHA1 | e35404c03da1fa3b3eadd75c7448ed0971d0e375 |
| SHA256 | aba4537a415911a98134678f808e26b1a862bbec916dc6f53de2fd1a5e3df3a1 |
| SHA512 | 132572dc3cde2524f9a3035d312dcee6dafc314969c2cbf4112ee1f7c9e83416a4ba0f16fbc95b1a4b1429370b25067a25847bff65a56cbb7c28c3a6d9a0defe |
C:\Windows\System32\stordiag.exe
| MD5 | 2fd5a7ae68af92fb86cf43d57d1997cc |
| SHA1 | 4558bdf09fe9b33d24cfb08ede5c63b40804e42c |
| SHA256 | 880eceb309f2ca7a9ea12c3bb0c17d3022aace9343d89e98580755de6645805f |
| SHA512 | 7f8532db6817bbd6e6dacc7d270069d43198dc3f874c453ae2281fcc441c934a68e6ce85177ab6bf7544a356bdf3ea08636eebb39fda56b22691a0b8c449660e |
C:\Windows\System32\stordiag.exe
| MD5 | 64fd98eb25246602d933e54ba9b454a2 |
| SHA1 | bb628dfe2c980a9ee00f7c1998374297d9ac2edd |
| SHA256 | bd3d8b57728d50550ae88d8b12de79b14cf0b7ceffea1c18c17b1df2da240bf3 |
| SHA512 | 0482760618600284dd5223dcb5b149d19655a5e2152bdb4306b032a5a6303a87fea767cb3e3dd04946df418e622b0744fb65eb99dc98669b96d2429c13f02ddf |
C:\Windows\System32\stordiag.exe
| MD5 | ba66f706be8f7adbcffe87f740255b80 |
| SHA1 | 6495fda80f1d1b5d8b5299128d2d75c5a079e437 |
| SHA256 | e83d3717a2237dcaba64b38240cafc500c30978549d60e44e1adf7de8e1defac |
| SHA512 | 7c771787e784564c40e23deafa3163576d2c538efae91ca192baccf53b91badc7c76293917d34357e8446fdf17628efd3a3aeea7502fa5f602240c8d6e6fd9a9 |
C:\Windows\System32\stordiag.exe
| MD5 | c3c70582949bd5eb04094d377a177421 |
| SHA1 | 3f7369db4cb4340c72d850f61b66342e9f72fc1d |
| SHA256 | d9926d8e5a4210dd00008ec982b87f8c2bd83003fb2e836c619be311a998da43 |
| SHA512 | bf8ed67d211063f1f52ccaa6621653ba4f17de2eff41f44da22b6b10e09cb65b8e7ce27d97673be5d5e9e3f441e565ee444755fc39bd942ee8b337ac8520dfe8 |
C:\Windows\System32\stordiag.exe
| MD5 | 9add874e18dd6ac82b62d05931f8ba8e |
| SHA1 | 7f791f2a04c200c1162b71ca8cfb0f1ab81e5b3e |
| SHA256 | 9cf29940244bcabcd0089de4362ddc5d99012e689d97bcc2517df8e946b6bab7 |
| SHA512 | b7eb0ebd5acdc67755884442b139d163ac384613733cee8ce1394d01ebd51e55857ed4f2c196d3cca02020af7895eb1ec7e29667bb5998f7a5d519c22b3c76a6 |
C:\Windows\System32\stordiag.exe
| MD5 | ee121d7d851e08c3db7d23905309a4c4 |
| SHA1 | 896507fa433fc80fb9d1e406ec3c206c009df779 |
| SHA256 | 5feb5a59fe19ed73e9c3902cbf748596905a50801fce620e34b76e6bf061a9bb |
| SHA512 | e50397262b3a665bdfa85a14c627666c295d0a78c4ce798db92ffc91143fc61a38f09dadc4188aaa8f5f26899befdec0c6d49c72f0760beab7b4c7cbea65f37c |
C:\Windows\System32\stordiag.exe
| MD5 | 89924677e9bfd8083448419a882950c6 |
| SHA1 | 83a560187d24457003403a70b133906dd2169cd4 |
| SHA256 | 7c41eabecc24e523c471266cdb14a96631f0e1836a53f29e5b59d9a4b7a0e3b9 |
| SHA512 | 84b68a9ba11a6b39fff6d654f09e17ff72f7115605863475880ffd777aceacb2149c2f9b0254b14f2450c837ad33513d91106663def4990acee314691be9b5c9 |
C:\Windows\System32\stordiag.exe
| MD5 | 6324d8a6e98fb140f84d563824be6df0 |
| SHA1 | b4997cb942431b3a38c8664fd065f15628e4498d |
| SHA256 | 4e3fdb4f870587ce7746674a0efb81b7d3dc20d0ceed4dd75e72af4b8c9b5cde |
| SHA512 | fbe4abb95d7ee8bcc605d13b1d132ca8760ffb1983b32ef666a6ca09c409a8f20dff8498deef0006ab40704af4e9f03daf72e71759fa0deac2526b14c2ff6f88 |
C:\Windows\System32\stordiag.exe
| MD5 | 6686f74b2d4981502a570455a7fd32bb |
| SHA1 | 38625e63f164ab074a3aaba537f2cf76a8ab3f93 |
| SHA256 | 12ab12db4abad721a3be04c0be4db329e1aa905e4032c62da8e138f1af203477 |
| SHA512 | ee3b1dee40849b04f3eb319c36861ec993aa4ea313978c16138bdf6209dfd4d3578aa41de7feeada52e58bd9a08fbf3f3292770a9522bd7bae79f30ec27f5ae0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-10 15:42
Reported
2024-10-10 15:45
Platform
win10v2004-20241007-en
Max time kernel
124s
Max time network
94s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\System32\reg.exe | N/A |
Disables Task Manager via registry modification
Possible privilege escalation attempt
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe | N/A |
Modifies file permissions
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe BATCF %1" | C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\mode.com | C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe JPGIF %1" | C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe VBSSF %1" | C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe HTMWF %1" | C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe RTFDF %1" | C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe NTPAD %1" | C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe BATCF %1" | C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe CMDSF %1" | C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe NTPAD %1" | C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe NTPAD %1" | C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe NTPAD %1" | C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\reg.exe | N/A |
| N/A | N/A | C:\Windows\System32\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe
"C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe"
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\bfsvc.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\bfsvc.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\HelpPane.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\HelpPane.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\hh.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\hh.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\splwow64.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\splwow64.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\winhlp32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\winhlp32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\write.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\write.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\SysWOW64\raserver.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\raserver.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\SysWOW64\msra.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msra.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\SysWOW64\quickassist.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\quickassist.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\SysWOW64\sdchange.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdchange.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\SysWOW64\CameraSettingsUIHost.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\CameraSettingsUIHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\SysWOW64\logagent.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\logagent.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\SysWOW64\rrinstaller.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\rrinstaller.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\SysWOW64\gpscript.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\gpscript.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\SysWOW64\mavinject.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mavinject.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\SysWOW64\provlaunch.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\provlaunch.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\SysWOW64\msinfo32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msinfo32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\SysWOW64\runas.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\runas.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\SysWOW64\mstsc.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mstsc.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\SysWOW64\sdiagnhost.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdiagnhost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
Files
memory/5108-0-0x00007FFB52733000-0x00007FFB52735000-memory.dmp
memory/5108-1-0x000001CFC4580000-0x000001CFC45A8000-memory.dmp
memory/5108-2-0x00007FFB52730000-0x00007FFB531F1000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\DY76wCwbUm.exe
| MD5 | 267bc9803be6b45b13355df903b7732b |
| SHA1 | 44dbc73c5829dedced57f8864cbbbebfa8660919 |
| SHA256 | 0b1077aa343cab3d126e46fcf56e04684cee1a0624a95a71506ee54f910c9698 |
| SHA512 | 5330008e14d68cf4a9d1f25e33adaa89c9abe4ba35697bb3e88905d8a5307a4e8ddbb4720bfb6df65f098b27dca848eb15792766170d17f75be06ce275dae7c0 |
memory/5108-1024-0x00007FFB52733000-0x00007FFB52735000-memory.dmp
memory/5108-1140-0x00007FFB52730000-0x00007FFB531F1000-memory.dmp
C:\Windows\System32\mode.com
| MD5 | 5e71c60108a69fee2eb70befab588eb4 |
| SHA1 | e2b353bd6783e57a5be29ca339df10ca8d8a7d8c |
| SHA256 | d94fc4c6d404ddb04d00618ea4514dc38d1145b67cfee54ccb3636fd34c81956 |
| SHA512 | a298afa4b9c98fd5e95079d369e382da42bee829a3a47e1f1a1080e7d6e51d16ae38443fc8a37dbc52672a0cfc17ae2114142363fdaa8d78929c2390bc67210c |
C:\Windows\System32\mode.com
| MD5 | da0233ab62c02a67b582d38115fa6ddd |
| SHA1 | 0aa720bea5e04f285a40928e3f686096e423b2f6 |
| SHA256 | 6b84f61aa1555bbb042679d6086ecc306e9f0c82210c50013742e09d50c09cba |
| SHA512 | 01cd538987de6109ac3d3cdf91411af4cc13e029dda843f4df51e5e9e7a09a92570e0b19237839799ecce28968e031dd2e077d479aa394646e3e292138a07b34 |
C:\Windows\System32\mode.com
| MD5 | a7aa614fbab06e2a6db9554139e2175b |
| SHA1 | 58e878a6a718d761b46187e0f52b4855d4be5a5f |
| SHA256 | 865831bae35944155c6707a65d75ecca2ac7f7d712c9566e032ab23c2b02d066 |
| SHA512 | 6ccf0f727bcfd876ad83698420f75a4d27b2e02ec7fb2e678d97a128503cb1c5b616694ba9193bbf4af3f107fcb6ed1845375d78c83b6e064b24c3be16c74049 |
C:\Windows\System32\mode.com
| MD5 | fc535f0f19ef86f79c16ea39fff476d2 |
| SHA1 | a74ebc96290d75d07d56bfa692c0f499aecc5dbd |
| SHA256 | 10f641974f22e9f6e9eef4f9c3b8cf69b2267a1b7db61d49a8f7688e6c7673b6 |
| SHA512 | e0ef22800bd572e7c111df347e85ef0ab9ed063ddc9a33d99fdbae9ab486b3178d9af16ab2857d1c0f09042713043534f9ddb95e678170d915230d573500ce8c |
memory/5108-14136-0x00007FFB52730000-0x00007FFB531F1000-memory.dmp