Analysis Overview
SHA256
458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03
Threat Level: Known bad
The file 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Disables Task Manager via registry modification
Possible privilege escalation attempt
Modifies system executable filetype association
Modifies file permissions
Checks computer location settings
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in System32 directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Modifies registry key
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-05 12:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-05 12:29
Reported
2024-11-05 12:31
Platform
win7-20240903-en
Max time kernel
120s
Max time network
119s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\System32\reg.exe | N/A |
Disables Task Manager via registry modification
Possible privilege escalation attempt
Modifies file permissions
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe BATCF %1" | C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\TieringEngineService.exe | C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe | N/A |
| File opened for modification | C:\Windows\System32\TieringEngineService.exe | C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe JPGIF %1" | C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe JPGIF %1" | C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe VBSSF %1" | C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe HTMWF %1" | C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe NTPAD %1" | C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe NTPAD %1" | C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe NTPAD %1" | C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe BATCF %1" | C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\icofile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe JPGIF %1" | C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe RTFDF %1" | C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe NTPAD %1" | C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe CMDSF %1" | C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe JPGIF %1" | C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\reg.exe | N/A |
| N/A | N/A | C:\Windows\System32\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe
"C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe"
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\bfsvc.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\bfsvc.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\HelpPane.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\HelpPane.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\hh.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\hh.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\splwow64.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\splwow64.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\winhlp32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\winhlp32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\write.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\write.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\raserver.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\raserver.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\msra.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msra.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\quickassist.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\quickassist.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\sdchange.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdchange.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\CameraSettingsUIHost.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\CameraSettingsUIHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\logagent.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\logagent.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\rrinstaller.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\rrinstaller.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\gpscript.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\gpscript.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\mavinject.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mavinject.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\provlaunch.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\provlaunch.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\msinfo32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msinfo32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\runas.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\runas.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\mstsc.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mstsc.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\sdiagnhost.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdiagnhost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)
Network
Files
memory/2568-0-0x000007FEF5E43000-0x000007FEF5E44000-memory.dmp
memory/2568-1-0x00000000000E0000-0x0000000000108000-memory.dmp
memory/2568-2-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ccdSoVvQW.exe
| MD5 | 89dbd5177de5f57956377c7a1cf346c6 |
| SHA1 | 82abadfb531e7ec094be889053762991e958e151 |
| SHA256 | 55baf2c943a2becf9086a7f6f3e2d48d101e7e64d55d77ddc2802a6b2492409c |
| SHA512 | e4020fa9d145688732118e38f5fad8509963689233b4212a8c046925e12fdbb78dc6373160e896a5b4e3ace19fa56494434dca5cdb984d0e9b616bb2e2b470e7 |
memory/2568-1112-0x000007FEF5E43000-0x000007FEF5E44000-memory.dmp
memory/2568-1245-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp
C:\Windows\System32\TieringEngineService.exe
| MD5 | 2b1dae2e9f4627aa4ca5dd895c0296b4 |
| SHA1 | 5238d0ad96fed9db3e9933766474f1f6f792a2cf |
| SHA256 | 4fa00daec622ddf78c8ee7a4e41a58ba8cdfd12f3c116d4182829ac451d586db |
| SHA512 | 3b9b671a5c424ac096c32775008c67673b47046cf6c044bd191f1686fdf9c80cb28824e5f1d9c30d6251bd3ff00ab4c91d2368acd413747153bd4490beded87b |
C:\Windows\System32\TieringEngineService.exe
| MD5 | 9e145b8093a9d5df66f96aa062c5b68f |
| SHA1 | 2f04d282eaf6d69de85c3290626dddb874d03b63 |
| SHA256 | aed1bd140f8a544026f644ad530314166cbec7ceba05c7e911deadb63b1791b1 |
| SHA512 | c64f8f2ea2a494620260f45326da329368d58096084ca89f2fb3421b585f779893515af67e9a47109d0ff45bbcc29c0dbcdfdd8be6313fab0e3fedb0b2f4ea8b |
C:\Windows\System32\TieringEngineService.exe
| MD5 | 89924677e9bfd8083448419a882950c6 |
| SHA1 | 83a560187d24457003403a70b133906dd2169cd4 |
| SHA256 | 7c41eabecc24e523c471266cdb14a96631f0e1836a53f29e5b59d9a4b7a0e3b9 |
| SHA512 | 84b68a9ba11a6b39fff6d654f09e17ff72f7115605863475880ffd777aceacb2149c2f9b0254b14f2450c837ad33513d91106663def4990acee314691be9b5c9 |
C:\Windows\System32\TieringEngineService.exe
| MD5 | 83cba40e6aea8cb582a53c8b772a0413 |
| SHA1 | da36f9bd8290c62c4e0dcc5d503d74618759979f |
| SHA256 | f485d1c36ef4591406816740d211d5297bb569ce597b085419364cf469bf57de |
| SHA512 | bee5e7340563b3e8f8954fbe4ac95b082e72a83ddbda0b42e2ea0cf0092979105da24c04ae79f283abba5cc0b39aa6d47b31431aff3ac3c869509cfc1d9dbd00 |
C:\Windows\System32\TieringEngineService.exe
| MD5 | 824a1047bb3cc8d36b0f22f0aa263dfd |
| SHA1 | a86b45ed5f6e2fa5e133e987c860b9caeda48ac7 |
| SHA256 | e38dcc749136d8614bcdf5bd50d56da1d53843a5ef0eb3b5ed48f46829640dce |
| SHA512 | 9c5271dc417c905a3c1f3f527f8d3b03c0f1c24ee801edab3aca527efa7e7d2d3dea16ee67270e31ceaf9c1937f05af7fbcd5d4dadfb6530985fb363bed10e39 |
C:\Windows\System32\TieringEngineService.exe
| MD5 | 3e0d5283b3adb0c1d6318403a0036932 |
| SHA1 | fa9879dacdb4ff295692634dcad27aad17f047ed |
| SHA256 | e6f72bfd0e386dc2234744066419f0929f34af19c192f2871a3c08f31f2b3b80 |
| SHA512 | e8782073cd5d2b14a1241131688c10cdeef7e667280bc927b93b29705a06896301fc25f9729d5547816d278743093aab7964e6cd631bd6bcb0646e0bf222249a |
C:\Windows\System32\TieringEngineService.exe
| MD5 | 008f7f3900246efffd5e0f23d993f6a4 |
| SHA1 | 38dd68944115d2dd3b53bf32c6ea36bed1a7719d |
| SHA256 | 9a1eb3e97e143d9f4191e4944573840bcb436374f44c12f0979ca8e332253903 |
| SHA512 | 44d3ffbd0f448579bfd8acaca199fa2f1171aa707c108d3a9c17c1c2e02c84e2fe9a6cd38738fcc24ced47d8669e82def987d43a45875fbccca2e26d69809222 |
C:\Windows\System32\TieringEngineService.exe
| MD5 | bb8eb6f1435678e44038a171a6776625 |
| SHA1 | 6649e5dcb6ef1aa02079c21003b3dde5b4ccc5ed |
| SHA256 | 78e37c942128bceb8a9dcd0d2bed31ae6e483bc87d138c02f4af9d9e5a9c67dc |
| SHA512 | 71ed9ab55e911af2a6249fd24d114e818509e2db065242dd7656a7355949962b533d599944f0fcf78b403571362ebe07233be107e74f5317be917d462bbe28c5 |
C:\Windows\System32\TieringEngineService.exe
| MD5 | 5373b27c1706d6b6458665a36462edc3 |
| SHA1 | f9409e9f008d02d9f80da685c8b813c54b7b2d9c |
| SHA256 | aff33c9bb7595417469a54eef58701793e9fb7cc6add5339201be9c4d5ee4289 |
| SHA512 | 9e88656a8aee32e030c3ee58d7bde94b6c1a78c92d8192f98ba3e247df4bf943589258a9665b5d027a8feed03b5a8e4cd651c39a8d47679f623d4541834b9c93 |
C:\Windows\System32\TieringEngineService.exe
| MD5 | 4915836e64664f41ea434033645a1285 |
| SHA1 | 3448278b03c5e85baefc9052d7d84263d8269998 |
| SHA256 | 70c5eea280af6f14627210eb1f275397ba30e3545ab10e2dba468cfd49835c3a |
| SHA512 | cdcebbb1e3e9a95ef5aaaf0b8417a84de3d000c3bbf57da18d659082a7cbcc74af638f13a3fda1f76b99bb6d0b7697f1d4ecb607426e9c1d37699ae469413d82 |
C:\Windows\System32\TieringEngineService.exe
| MD5 | 4740dce00286267db0f16facc68c9dd7 |
| SHA1 | 0399822590a0dcb50c22c467615cbf3906ad8ab6 |
| SHA256 | af82642b7c381442ff8950490252f4e73a0c56e490623d09534bd9c5f84010f4 |
| SHA512 | 25c48e72625f2e85f706ff5513d06cfd2eb9e20723410f404a8211b1390ef5316969c77d703c89ec4009bcec8172562cd4b6c89b5ee1c34d70d3f7a29d3b3925 |
C:\Windows\System32\TieringEngineService.exe
| MD5 | a0158965387fa006365a79b35d3c9fbe |
| SHA1 | 4bbc3a0d155c4cfd21fcc84cb99dcee16138c213 |
| SHA256 | d078c0850d633b323d7048877c90b1282d2f103e43c910ceb167e0b4318fda15 |
| SHA512 | 54e648ca83076505cf935129c67a955f60310a07203df6c1d421a49e167ffab1a29b69067090a9c2818f071e0495fc1ec2aad1e9c3451061824dc9282c2107d8 |
C:\Windows\System32\TieringEngineService.exe
| MD5 | b3ad3ab94de087c39996e02a7dc917da |
| SHA1 | d0074e080bccbc09d4610ca9f85c02cd9336aee9 |
| SHA256 | 75ca07c2e03b7438d20e8146a5c21bf6fbb3ca36451e1be3b48795cda97af8c9 |
| SHA512 | 6fcbc3842e249a818b5de14376f03454459f07814f095984583963bbc25a142916dc8e22dffeb81fa830d1076dd95a184f1b63698e3f48cdea5aac72ddcd90f9 |
C:\Windows\System32\TieringEngineService.exe
| MD5 | b0f7d5cb00353a0e2102795faa73b2a8 |
| SHA1 | 3c38ef955283a5e94606308d30551ec16bdc6e65 |
| SHA256 | 76d757b592996dd4d071fdde84b5b77a3d83ed8bd01d9f693dc9644fe1deeb6b |
| SHA512 | cff28268cc55a4e6cea2f40204c3d78c9793d0d4c56c12a380b84b6341da6127b3ad0626c0d6ada7c2287babdac2c71b8fbfa736eaf6ed7fe19d78e17ac91bce |
C:\Windows\System32\TieringEngineService.exe
| MD5 | 08377a1a576465cc24aded9f3df51617 |
| SHA1 | 1eb24e408b9719301888bce65d57cc5d28311c97 |
| SHA256 | 487017813d99667ab25e3389ea682c2ce754ae7add584f5eca415054d162dd0e |
| SHA512 | 54103dcb1d5c471677bf0e5561f7ede201b807ee60c2ffbbc78efca2790bfe8ec5464aa5d3b623cdc75dfe930b8105f177615928e62bb7e125cb518b302f0b5a |
C:\Windows\System32\TieringEngineService.exe
| MD5 | c4a7867c7acc4e9a9f31c5344056084a |
| SHA1 | f44161dec5c78fea0038c1387da545034de79157 |
| SHA256 | 63e23b5b15e1c12ff8ea9915b8c7331d0b7cd1963998e1e1b6010e162e08c17f |
| SHA512 | 82d3fe8c87b19220925b779414c9eabef15e0eb9d47fcfb096d346db1a39e2f3f0a87a5555fbb862e811d8da6d2d82499686ca75ce7eca9db407dbf6af8ccd00 |
C:\Windows\System32\TieringEngineService.exe
| MD5 | a81c156cccffacc403f40990d9c5fc27 |
| SHA1 | 92476a1f288447b87bc3332cb19a9b271ebb3206 |
| SHA256 | bf239381c9df24bcf2adf1d8d294a2716c086661628157df2cd3d4e00e7ed229 |
| SHA512 | f7080e7a3c177f71e46fbc75e52b64ec5674232d31c6b18e67d766670a932f14c6e5640aa82d8063f836c1c709a683b9ccfcf8e0669b874a0caa25910e501927 |
C:\Windows\System32\TieringEngineService.exe
| MD5 | d1e311798b66e3a6cd6a0da5c04c64b1 |
| SHA1 | 4000c0aa1c84ae3d2036c01da270ff2071ccc377 |
| SHA256 | 83cafcf5e9c5046df5f61226d5de33a62c48a92590a4519ad84f8bd461d5c987 |
| SHA512 | cbc5c9559bb84783a3643bfc6a55b624619b3fdfa55fca21ad022d428611898b730731cacfe98dead8a95c2a3fd32bb4001042ea56503ef79a9ce8f49fd79a4c |
C:\Windows\System32\TieringEngineService.exe
| MD5 | b802052d3a1f9ae722fcf56495a67063 |
| SHA1 | 0a37ffeecd71fb66f98ffc67b57e4ba7ce65989b |
| SHA256 | e3fc66ffb4b48cff8468bc7d7e872585b3cec2096bdfee079ac5cc8a1f5108ff |
| SHA512 | 5d8884d40488c6ac264134e9fffdf03b0ba89649b0559ae4311b751ef949ae47429fc6f1e77cad45789b58113366fd817a84d870100574fee25bbce311dd7703 |
C:\Windows\System32\TieringEngineService.exe
| MD5 | 90f896cb9f2d85e3a3c49aac356565bd |
| SHA1 | 79a82eefaf498ca29f09ae4ba28d5afa0861b07f |
| SHA256 | 07059e992766b8adfc3db1a198d5d44fed27882ce62b289150790785e10c34f2 |
| SHA512 | c8fb34d9cf88c704f33cfc059fb5684f33fa72facbfced50eb632c032f99f7a1eb163c5fd447ca9f86639e42c0948a1ce51f067548091d6a48256eedb0851bff |
C:\Windows\System32\TieringEngineService.exe
| MD5 | e57e4ed632934f604822d873626f56a6 |
| SHA1 | e3740eabd1d4e3e508ac9039a4b70b37e6f6cd2c |
| SHA256 | 850c0a54ddd456f02e9e084f3f4b1d6c69e7ac4e9faf866bb19d8085d91a21b6 |
| SHA512 | 9558e3e46d52d075be889e3d32006df80b515537d8ff4f64c000092d2fa1b16a38a42966795e4015f71f7f7a7315cabdcb7b807a848f31c24c953b43bcb708cf |
C:\Windows\System32\TieringEngineService.exe
| MD5 | 20e81ddb55c88d6b062f169119fd0362 |
| SHA1 | 7eb0e23e6b335838e94ad4d87bd9415010188892 |
| SHA256 | 354e23c57f7f07ea5691a51f3e9439dc94b7af4baefbad4f5e8ed7e442b867f5 |
| SHA512 | 5c474d2fd8bb49e9603f1121e85b60fe3827646b467b2b4e50c3d657992c2069fa259afa3c0ca91b8ca946c23c760a987a66e06c545557b5b3dc20ee135d6f71 |
C:\Windows\System32\TieringEngineService.exe
| MD5 | 7b35ee723e6a03f23196cd8eb91ccbc3 |
| SHA1 | 5d2cccbd1839d7086c72805dcd688dc61cabc6cc |
| SHA256 | 5a138c6121b9d2b4a53e0820364d00c90c859c287409105b8236a24e03451d35 |
| SHA512 | 959c9172e1c0f3971a690b592225844eab73e11577b3b7a2a5006ea832db291b7ebc9c5aa9ee4571f6b8948573fc25dd8112a4b98a0fbb33ac6bfcf050e83e44 |
C:\Windows\System32\TieringEngineService.exe
| MD5 | 39b56cd7d56251609dccc61f9ef60f00 |
| SHA1 | ea570801730f2e2f355a0e379ff353ab62f215c5 |
| SHA256 | 2c10cef828ebfa34023e9059ff9920e19743048059fbc0a582e661caecf66472 |
| SHA512 | 9350597eb6e8671275492085c121f626cc4987f7b5121d5566821b6d5e15ba38efe82f7e78df1a68fa8ba3c6b4c5fab36fff9ab8ec79eff34dd002360d8d734f |
C:\Windows\System32\TieringEngineService.exe
| MD5 | 42cd037fa12ba9beaf9a9be16a913cce |
| SHA1 | bd2422305bf3c3c163edd63599c3f45e7f89d1ff |
| SHA256 | 2d1ebf4accea11cf1d4770fd8c8d637688a56dd302b5a16ea0eab3367cfa84ab |
| SHA512 | d0b9bd59c5eabb3d17b51c42645591eb97bb3dc7e57c4b756fde11cc4721670238e927ea09c1f9fa87e92550d7087be618312df076a3bf445c261ba673916fb0 |
C:\Windows\System32\TieringEngineService.exe
| MD5 | dee06265aa651638d1dd0d359a9f9607 |
| SHA1 | 06abc02eb62644208604e94bf554758c47358f5e |
| SHA256 | 20534b084080c2a5da30a7a8008fccbdbef741e5987554442636a462f0075759 |
| SHA512 | 3765818cf5a92ecd847c7a14065a19372ccf4f00ca14ea29a2cb06d5c8d3d3a618085d917252286d8bc168f780045f2834f842c1bfa5a732d5b854b71f052783 |
C:\Windows\System32\TieringEngineService.exe
| MD5 | 0c7a2b30576b15f7ec9e2b2ddf7f2416 |
| SHA1 | 4020ba4ee558ff5d4c2be4923ccd68b5ed5915a7 |
| SHA256 | 1f822e4458b73c29ce5864c70e1d742e827243dce65badbcda23f8fd456e7792 |
| SHA512 | 639af410739b8fb8ccd0638a0661c87304299783dee32fdf13eb77b1eb1ca96c57a5320879b22676da78087c45ef4b75bb7367529e98d10ab4698232466f7113 |
C:\Windows\System32\TieringEngineService.exe
| MD5 | 91a9ef6b5f9ed177d6f053f4a3779926 |
| SHA1 | fa9bf9cbb3e5d003feeef610628e678369198dc1 |
| SHA256 | 2ffb0b22398eaa8965e98ec105a6a641e13403251dc09d06e456e17358b930b8 |
| SHA512 | c95f1945d259673a9782fead662f95dce54d4607c833363e53b5a0bbd5ca5937bc4166502f5578d4cc7746a59c51907437566e605e87437a86ec84f0af86130a |
C:\Windows\System32\TieringEngineService.exe
| MD5 | a18ef252390c4897e4bc80e034d152c5 |
| SHA1 | 545ee51437f31a0b8b822865f2d1e993f0866508 |
| SHA256 | 1ffd1a9f0831c91ec5c5e375cb999b4f055e68cf6e909ecd5a698931503eb4e6 |
| SHA512 | 6fc850b909c56f382efbd6fb0d212822a360c9ac233eb18ff56f7ddf8e37e8a7a29f8a3ec2b7c3626ad8edc62de2f106bb2d40a25bcd282c8e1acedbb4e24cd6 |
C:\Windows\System32\TieringEngineService.exe
| MD5 | 024d10aeba77b3d41da4314cdac3392d |
| SHA1 | bdc5c45079288a6eb397b91a1aa34207b1bd1d99 |
| SHA256 | 6be2705269ae3d5a7fc9d8df8327c096b994a5d63f566d494294e69eb33bad40 |
| SHA512 | 8a99ca474677f19e73ad0b8c2869a6e9bea0084b2b8f57bf0d9ad72812f51e54dce05d00c9e46ed6926aa3c0618510d8ba7201516ca5227f6569946e047b7990 |
C:\Windows\System32\TieringEngineService.exe
| MD5 | b0eb5a52f3d7274b07c025d253c6c1aa |
| SHA1 | d42b24239c8d87436346752cd5bdc0bd73658284 |
| SHA256 | 72358fb2d2682c4c5b880708a9ce76bc1a4b5ee66e65e144716a800db3545e64 |
| SHA512 | 492743c562cd3a88464f8eb980675163efd6166d81e527edf9c0b0fd27514d650949bb8fcb4ebfa2e334a8bd71269c57ec67ef23ccbb0136ae5e9811c8904eea |
C:\Windows\System32\TieringEngineService.exe
| MD5 | c204de1954f03959f8e304a05dd087c2 |
| SHA1 | b117501186c5507a15b562a69452263de179b19b |
| SHA256 | c8141e56dd53e08d91515ab4f3a34c93b9aa048cb743c0639e74fd5444fb4343 |
| SHA512 | 055a231e39a5e4fe9c5e563f172fc76cd224423eca25e0dfdc0ad1d8f8f4c6c0fe7d9f8f5ac37866000efdd3d5d72db8cb2d16997479d8f7241c024c603671bd |
C:\Windows\System32\TieringEngineService.exe
| MD5 | 3f78539193185da7ae09b1537c155ce0 |
| SHA1 | d8f239b478a8f1c0785f28586729602b8bd49b7e |
| SHA256 | 61a9558c52a3750ee580cc213569bf159c31b77cdde6a09be1292f21212790ae |
| SHA512 | 2bb16aeb67ae5ed771779cf387f294d5ab45550231f76b39be8318d5534d11b553d827ce78bc23cb6ade92bc5449449364b4586dbc2fbaa837b4d57810c1074b |
C:\Windows\System32\TieringEngineService.exe
| MD5 | 356048dadb2cbe18bd364d8d99b9446a |
| SHA1 | 25c454e4bcafc299cb847b042252b71d0d22dc5a |
| SHA256 | 749dcb83a9e43e74836a8384b12ef03f035bb5cb92d74fc3b3b0687aaf3a0b1a |
| SHA512 | ee60659cb0adb66e17c9435801f9e70b61cae6d5d6e0a9f5c3b0d7e644f257bb79ca2a9ca09bbdc094da56b0774917a2f404cf4c79f2710af3da140452a5366b |
C:\Windows\System32\TieringEngineService.exe
| MD5 | c04a3af637b3560b7ebb09f700f2e0d9 |
| SHA1 | 5a38206ad486980643fac8de501a074a323ccfe6 |
| SHA256 | 453480749cc5af97b10e4be20940ce975b8446fd37b320cdbfcece12abed4eea |
| SHA512 | 384cb04eb089ca55f86e59a09a87d895fa8984d9b955a4335dcea4337870e21fc0737fac497d703486353c772d33f59af18a2630f6f37d1fdb277b54697ebbdb |
C:\Windows\System32\TieringEngineService.exe
| MD5 | ec8a0e2aa12dd2fb1c22945328652a0b |
| SHA1 | 8e97bdb15aaf1df33997580175d77ab014b76aa9 |
| SHA256 | 0b8f0f990c60286b9051fca83249d4f569041ba0b060cdcbc6b2bae119fd9f83 |
| SHA512 | 8610733b63d80595dfc95011ba81d28afe20dc5a3c9c1b5bbc57e17a61fffe459285288f87d6862a1f68ab98cfbe535e4589e2ed5fc33d9f4d1f3088b83a2075 |
C:\Windows\System32\TieringEngineService.exe
| MD5 | f14b26e96b7acce8f045122b9be33de2 |
| SHA1 | 372c85f270c75bc776e823db5dfcf1db38755c72 |
| SHA256 | e330533035f0e396ac75618ea60b07388da7700febbae0aaf1de8a2112867f0e |
| SHA512 | 413b3bc03f1ac207850a136c7e8b94fb4a124173f569cabae6dd89d9b315a381ec2bca7914843b2e5a4e9167a3bf2d5971595ed07a2cbc37fbce5c24f98d9ee0 |
C:\Windows\System32\TieringEngineService.exe
| MD5 | 4cf94e5b387e9ee3154c2357eb315b69 |
| SHA1 | 8970357fb2ee31ecf105d4430c10ba69e5307f8d |
| SHA256 | 95ee105cdfec46036b11c752900d61483dd585896eb5e396984c73802951f247 |
| SHA512 | 42f58d36fffc07fdfa18bf8e6afb6f42c9138aebd4bcbdcf19602a78557055d5559a5ec67e2a9d8ef721f0d6f318b71fb5e024ab6f2a195be127e70676f85fa4 |
C:\Windows\System32\TieringEngineService.exe
| MD5 | 6256f9bc2ee142389e4db41222241e97 |
| SHA1 | c32e972424676fa557946db2db8950224ed9e79f |
| SHA256 | 43e84fa5b5477db92a9a5f2ed5ef9199ab44babf2b1ce5d66bd77020f6252546 |
| SHA512 | 2f9d674a2bed981611ad4681b6e1f3f07106698b46284514940d3c911e429468843f9a08afbca1d136c55eab007cbae78160da87ccc3c50de0f70231dc24a644 |
C:\Windows\System32\TieringEngineService.exe
| MD5 | db4a9fac1f33c774990eeb3b2dbd4bda |
| SHA1 | 86d8ceeb376eaddbc2b3cf44435db636c1a1ebad |
| SHA256 | 63b66de05e1df906082cf1dbed9d00531db6d650f68aacf870f8859efa683fed |
| SHA512 | 4ef44b4fa2d42c9a2243760c2d14f679292ab8d8fe09f9ec2cba6f7a581766386bcd73cd439438204201b9792393b023c4d0c2f09c8f7116bfbf8dcb4407c7ad |
C:\Windows\System32\TieringEngineService.exe
| MD5 | ff564fea35f641426786176f3772f55d |
| SHA1 | 1469b11050a793a0889d6a43d884e1bb3b4f56a8 |
| SHA256 | a9e6cad941fef108bd4019fd8c70989b189003062bdb5ed2ad999af8ccd6cd72 |
| SHA512 | 47a729ddd51b99822103472a8abbd64981df381ceb4ff572e0f4ae65bdb8bf5284bf554e0695afe465678a0a6ff77dfc79488b130e4f7d5ecf9bd94c1d9f6b12 |
C:\Windows\System32\TieringEngineService.exe
| MD5 | 2df080bcfc9fb970c6298ad57d45bd9a |
| SHA1 | 772fbafe482c97df0f407d2d1348ff31732311fd |
| SHA256 | 2b6110d12fb49892ac869c70d269764d2910df50fc91ad4bac3787f1e896f42f |
| SHA512 | b1e136740fd364d0b49001662a8acb06d46034175dfd7029ac6ed90a9d7373ef14ca608d0632988ca3ce2d1943924076aa966b888950b6bf0ccee02af4723a65 |
C:\Windows\System32\TieringEngineService.exe
| MD5 | 608acb718acd97a278a795ddef17b56a |
| SHA1 | 20ce4ae028d5df435d064e3e705a4a4e7c95a7b1 |
| SHA256 | 886f9f802e7edd0c49488b8079308e0014e597532b411efd4daa40339325a48d |
| SHA512 | e6004cee25c27393df6ca7bb656811fbd63a7574880d78e24cbeeae4e580a4a649eaab39bb927304cc75a243be9591d2f15a2c9d5a8b2e37654d2000d55519a3 |
C:\Windows\System32\TieringEngineService.exe
| MD5 | a7f45f88c278203157c0284b4b8f9e24 |
| SHA1 | 33569bbb0e842b99a09061f9c63f633819ebfc91 |
| SHA256 | bde51daf73a215cdba33ff9bcd0c9cb440ec01a0a55f6935df0eda85da7e057d |
| SHA512 | 2f3c9f3d17606fb0103510396e49840a1cb045a364d17ed53e317c8861e93421d8332fc88163f784a835c927d2a92246a8db300494fd58f98bef6aa07e523cd4 |
C:\Windows\System32\TieringEngineService.exe
| MD5 | 690ac1d7475f1f1eb125ffb48d757b6e |
| SHA1 | 6317d8bc373331f3e7a0d2bf675990fa9897d056 |
| SHA256 | 2aa64db771bdff7d3aa7609e0af2f69bf316a38cb8432dd65cce2a3386a62b66 |
| SHA512 | a39ad9b97e6542a3822072a58c4afbb377bc2b0922db9fd5882bcaafcd8166dc91dcc6dc850c471d8f8e188c237fc81c0112b723a726c262414c45e9409e3a15 |
C:\Windows\System32\TieringEngineService.exe
| MD5 | 4d2e14efcd17c6c4555e25af81259af7 |
| SHA1 | 1d4cccf88988d3a3d80739b268e693445ac20a0e |
| SHA256 | 1954665733a01fecb4b1c4282574057ed32a8d267f41e1fdc70c04ac33196ccb |
| SHA512 | 45f6b684c5a250ebd5c7f517e9f838448a45c77a1134f2315b1a4687f614f5df309376c5fab61d00d7eae0687432a9e316c3da6943299ab04dc59b16b11266db |
C:\Windows\System32\TieringEngineService.exe
| MD5 | df8bbb1910158bf315f6be2d1cab25f2 |
| SHA1 | df57e81b2d44491231411d03f153d753348e14b3 |
| SHA256 | 9a3b01f28fb7bdb32831e0869e7c07dadad77df75c8c09faef1d09404c899e5c |
| SHA512 | 25346f92de4f8c113d9790d3f0c486b637958985ffc1db2ff84a499f28d683f2d9706d3d931265ba9e887466c8dfd0694e223f9e75624b6ca25b7d5885c7f002 |
C:\Windows\System32\TieringEngineService.exe
| MD5 | ca159a2ba9d73178540d48d99ac1f696 |
| SHA1 | 78ca10b25ec59ba30ccf7ae7326f339dc01ec93c |
| SHA256 | 519928fc5e548485bb7ea063fcedc6598f78680b1eeff4c59cc860dd6b4001bb |
| SHA512 | b53647a43ed50d12011b6d2b4feaad90d24bb6e407037f786021ba1fe2ba22682df223b72e8a1be28630ec8d837f6edca14f4119a3341e5b60209886daef4ac4 |
C:\Windows\System32\TieringEngineService.exe
| MD5 | a662e1010fe4ea3e5a900b331f318c7d |
| SHA1 | 759b586ab77425d338d6598a0ce5744ab91d671d |
| SHA256 | c6c65b5d5084b21a6b2b311cf65855f22ff26f84a6734491a5895f499ce834ed |
| SHA512 | d72266152241bf7db076367d2c5b7191278acc8bc1c5e1fe8dc671bf1dcc6c5920f4d4854a37572dfbbf35a7c397aa05add364e95e803833f2044fe52949c3ed |
C:\Windows\System32\TieringEngineService.exe
| MD5 | c31cbbcad41780f238557209f2a1cf85 |
| SHA1 | 62c55266a6bd67b41a0f4663401fd7d1e0879767 |
| SHA256 | 439df15be6a6189c67a7e7b3d2ccd16cc017a2eac3222eca16926e1ed3bd8979 |
| SHA512 | 6f634055ea65b80a81be4001625d00e3d5e7c7854229f42b1b9897d77376226a71c50454235e036005ffc09e06787a0277cb8db56f43639d298bf9721cd9c848 |
C:\Windows\System32\TieringEngineService.exe
| MD5 | 77a60b3c6cd4ce4f041357c9599f92a0 |
| SHA1 | 9f17db99ca7a15389432876f2a55ec97a7142d35 |
| SHA256 | a2fa4eb3f43f5a63333ac50c6a0ad56bfa938e4f01b1d89793c593bb6d23609b |
| SHA512 | 424208a68ada3ce40c48680a15a08ea375fa93ca40b54931ce13b8d328f58ad84001aeb46aad3977a68236ae73a6975ae87431016cdcf4880d93e1ccc70a669b |
C:\Windows\System32\TieringEngineService.exe
| MD5 | 60b52a782325031b58cbc8dcfe8a7e24 |
| SHA1 | 5e08fd95249a898c7bc1e49abe6639ee5cd5f92d |
| SHA256 | 3d70d2d190e959a7fd207f202f1ca7ac2cf62a25c0fa63b3a44c08616f60a475 |
| SHA512 | 6644363ec3f0d75e1cfb898788838b2b30d67b304638f530a80c57a8f69dbdd22b50a3f633145fd58b825b7d0016476579eabca28d239b23271d46ff93d12b8a |
C:\Windows\System32\TieringEngineService.exe
| MD5 | 147c27849bfaff60e9168c4fa902aad5 |
| SHA1 | c997524f590723a5bff90ae8a9af9e211e29febe |
| SHA256 | c8e7d6c51a476614a82ce68603ab563a8bffa0c76b3d4819aa14ce12e82d8fc0 |
| SHA512 | f657bcd0b2678db614392f2a371101baf2df007165c34802043b8e340d753ea95c7cb8cba12f2d3ea8ccbc8e3138c34f20337ac4c9759f2674b2015f9e657213 |
C:\Windows\System32\TieringEngineService.exe
| MD5 | 23b0b3e3cc3081b1ad02bae42712502d |
| SHA1 | 3047b08e03e97bc6b0e2c2e9dcf5a01504e5e65e |
| SHA256 | 2aa89420ec59a826fba51097fcc7a2562e9dc4a5408fb2f44ad50b63de3f7f36 |
| SHA512 | 362181a827592cc3dd6d811ae863a1e9ce5794459c6db60cc2af1bd11871eef5e0d9cd9d48df0559e207599805c64a209d67785b6249ca3f76663f63070603b7 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-05 12:29
Reported
2024-11-05 12:31
Platform
win10v2004-20241007-en
Max time kernel
102s
Max time network
102s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\System32\reg.exe | N/A |
Disables Task Manager via registry modification
Possible privilege escalation attempt
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe | N/A |
Modifies file permissions
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe BATCF %1" | C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\SpatialAudioLicenseSrv.exe | C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe BATCF %1" | C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe CMDSF %1" | C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe JPGIF %1" | C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe VBSSF %1" | C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe HTMWF %1" | C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe RTFDF %1" | C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe NTPAD %1" | C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe NTPAD %1" | C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe NTPAD %1" | C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe NTPAD %1" | C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\reg.exe | N/A |
| N/A | N/A | C:\Windows\System32\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe
"C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe"
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\bfsvc.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\bfsvc.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\HelpPane.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\HelpPane.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\hh.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\hh.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\splwow64.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\splwow64.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\winhlp32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\winhlp32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\write.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\write.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\raserver.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\raserver.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\msra.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msra.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\quickassist.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\quickassist.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\sdchange.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdchange.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\CameraSettingsUIHost.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\CameraSettingsUIHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\logagent.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\logagent.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\rrinstaller.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\rrinstaller.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\gpscript.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\gpscript.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\mavinject.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mavinject.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\provlaunch.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\provlaunch.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\msinfo32.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msinfo32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\runas.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\runas.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\mstsc.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mstsc.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\sdiagnhost.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdiagnhost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/1308-0-0x00007FFAC2433000-0x00007FFAC2435000-memory.dmp
memory/1308-1-0x000001DA67F50000-0x000001DA67F78000-memory.dmp
memory/1308-2-0x00007FFAC2430000-0x00007FFAC2EF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\temp.bak
| MD5 | 4e4d06b6b8b4894dc2fcff09f3614acc |
| SHA1 | 0bca7ad4d18fa88584e3178db684be5479c73db9 |
| SHA256 | d0c6402a35b68b7b26eb7e3aead298d49b62ad25dc56221e28ab8ae880ee19a5 |
| SHA512 | ce3650d26b63045cea02ff21cd3e4e2049ef1f6640b0a94d3acd4e5122f57f1882a195cb2e24bc774062a5d566f0ec888344fb865aeb6ede99844159d4e728ff |
memory/1308-1254-0x00007FFAC2433000-0x00007FFAC2435000-memory.dmp
memory/1308-1405-0x00007FFAC2430000-0x00007FFAC2EF1000-memory.dmp
C:\Windows\System32\SpatialAudioLicenseSrv.exe
| MD5 | 20b8318cb790424c19f1c88de164e7f2 |
| SHA1 | 15ba100d3d7b2d6c5fa12a75b2650453d6f0fdf5 |
| SHA256 | b8ec1b2c5836eec20a3c9339fb16273ac03d21817b490ec795964d7cbdf9f212 |
| SHA512 | 0296285e514e9ff16a09dd991fd3c91a4326f1fea542e3c1bbfaca32c6a3765307317faaa7e422a2820ba24da9cb19d437cf59e34dc16ca4d9a5dffe5df6eac7 |
C:\Windows\System32\SpatialAudioLicenseSrv.exe
| MD5 | a7d9f4177a38a6c2c1144ade6c6fb16d |
| SHA1 | d172a4986e451409dfac1cb634cb10e578fec77b |
| SHA256 | 60f98f653013a865205f95b9458fc14b5149c1cda4b3b79f90590740cb312723 |
| SHA512 | bebfe1af970c6a3bd4ea050177258ad09c2e619e23fe08c181775ae615222368055e23738571ec92d4292828eaddff209de81001952d1f1f5614e8d3ea2da456 |
C:\Windows\System32\SpatialAudioLicenseSrv.exe
| MD5 | 164cfd4f73f51d210c8cf6c1442b6d3f |
| SHA1 | 286b3d6732e7092b647ae361e36e489532e322e6 |
| SHA256 | 721ad4398c57e680166c255625d9d7b71a564194e543deaae2f332d5601204bd |
| SHA512 | 47452a6b40cd234935c53b45d80cf71bb50021d6660ec814960138317072054c8d84e4509927891da79de2240b4a4402108ee65240cb7608e148ad0d600d0a95 |
C:\Windows\System32\SpatialAudioLicenseSrv.exe
| MD5 | 3e86ce906642c6791ee9d7abc5978127 |
| SHA1 | 96114aeac8221a53f131eade5230875c1747fe12 |
| SHA256 | 36d23a696b25666ddc3c4e665e489ee2803a9d65aee13178d558e57f1255d263 |
| SHA512 | 33dce42d52380774ff082c8726ef08281ca6bdc2624d0bded0285494ed2a7f3f2cfc43dc41f1f4df903aa3dc649e55735da2bd93523d14dbbbbde5af43ef1aab |
memory/1308-13201-0x00007FFAC2430000-0x00007FFAC2EF1000-memory.dmp