Malware Analysis Report

2024-11-13 18:03

Sample ID 241105-pn6mzatlgk
Target 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N
SHA256 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03
Tags
defense_evasion discovery evasion exploit persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03

Threat Level: Known bad

The file 458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion exploit persistence trojan

UAC bypass

Disables Task Manager via registry modification

Possible privilege escalation attempt

Modifies system executable filetype association

Modifies file permissions

Checks computer location settings

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Modifies registry key

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 12:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 12:29

Reported

2024-11-05 12:31

Platform

win7-20240903-en

Max time kernel

120s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\reg.exe N/A

Disables Task Manager via registry modification

evasion

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe BATCF %1" C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\TieringEngineService.exe C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
File opened for modification C:\Windows\System32\TieringEngineService.exe C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe JPGIF %1" C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe JPGIF %1" C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe VBSSF %1" C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe HTMWF %1" C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe NTPAD %1" C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe NTPAD %1" C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe NTPAD %1" C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe BATCF %1" C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icofile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe JPGIF %1" C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe RTFDF %1" C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe NTPAD %1" C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe CMDSF %1" C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe JPGIF %1" C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2568 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\reg.exe
PID 2568 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\reg.exe
PID 2568 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\reg.exe
PID 2568 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\reg.exe
PID 2568 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\reg.exe
PID 2568 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\reg.exe
PID 2568 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 2568 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 2568 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 2568 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 2568 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 2568 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 2568 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 2568 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 2568 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 2568 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 2568 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 2568 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 2568 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 2568 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 2568 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 2568 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 2568 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 2568 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 2568 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 2568 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 2568 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 2568 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 2568 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 2568 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 2568 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 2568 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 2568 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 2568 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 2568 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 2568 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 2568 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 2568 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 2568 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 2568 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 2568 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 2568 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 2568 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 2568 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 2568 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 2568 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 2568 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 2568 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 2568 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 2568 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 2568 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 2568 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 2568 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 2568 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 2568 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 2568 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 2568 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 2568 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 2568 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 2568 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 2568 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 2568 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 2568 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 2568 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe

"C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe"

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\bfsvc.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\bfsvc.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\HelpPane.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\HelpPane.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\hh.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\hh.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\splwow64.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\splwow64.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\winhlp32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\winhlp32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\write.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\write.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\raserver.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\raserver.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\msra.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msra.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\quickassist.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\quickassist.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\sdchange.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdchange.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\CameraSettingsUIHost.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\CameraSettingsUIHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\logagent.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\logagent.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\rrinstaller.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\rrinstaller.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\gpscript.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\gpscript.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\mavinject.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mavinject.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\provlaunch.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\provlaunch.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\msinfo32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msinfo32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\runas.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\runas.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\mstsc.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mstsc.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\SysWOW64\sdiagnhost.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdiagnhost.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S KHBTHJFA /U Admin /F "C:\Windows\System32\TieringEngineService.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\TieringEngineService.exe" /INHERITANCE:e /GRANT:r Admin:(F)

Network

N/A

Files

memory/2568-0-0x000007FEF5E43000-0x000007FEF5E44000-memory.dmp

memory/2568-1-0x00000000000E0000-0x0000000000108000-memory.dmp

memory/2568-2-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ccdSoVvQW.exe

MD5 89dbd5177de5f57956377c7a1cf346c6
SHA1 82abadfb531e7ec094be889053762991e958e151
SHA256 55baf2c943a2becf9086a7f6f3e2d48d101e7e64d55d77ddc2802a6b2492409c
SHA512 e4020fa9d145688732118e38f5fad8509963689233b4212a8c046925e12fdbb78dc6373160e896a5b4e3ace19fa56494434dca5cdb984d0e9b616bb2e2b470e7

memory/2568-1112-0x000007FEF5E43000-0x000007FEF5E44000-memory.dmp

memory/2568-1245-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 2b1dae2e9f4627aa4ca5dd895c0296b4
SHA1 5238d0ad96fed9db3e9933766474f1f6f792a2cf
SHA256 4fa00daec622ddf78c8ee7a4e41a58ba8cdfd12f3c116d4182829ac451d586db
SHA512 3b9b671a5c424ac096c32775008c67673b47046cf6c044bd191f1686fdf9c80cb28824e5f1d9c30d6251bd3ff00ab4c91d2368acd413747153bd4490beded87b

C:\Windows\System32\TieringEngineService.exe

MD5 9e145b8093a9d5df66f96aa062c5b68f
SHA1 2f04d282eaf6d69de85c3290626dddb874d03b63
SHA256 aed1bd140f8a544026f644ad530314166cbec7ceba05c7e911deadb63b1791b1
SHA512 c64f8f2ea2a494620260f45326da329368d58096084ca89f2fb3421b585f779893515af67e9a47109d0ff45bbcc29c0dbcdfdd8be6313fab0e3fedb0b2f4ea8b

C:\Windows\System32\TieringEngineService.exe

MD5 89924677e9bfd8083448419a882950c6
SHA1 83a560187d24457003403a70b133906dd2169cd4
SHA256 7c41eabecc24e523c471266cdb14a96631f0e1836a53f29e5b59d9a4b7a0e3b9
SHA512 84b68a9ba11a6b39fff6d654f09e17ff72f7115605863475880ffd777aceacb2149c2f9b0254b14f2450c837ad33513d91106663def4990acee314691be9b5c9

C:\Windows\System32\TieringEngineService.exe

MD5 83cba40e6aea8cb582a53c8b772a0413
SHA1 da36f9bd8290c62c4e0dcc5d503d74618759979f
SHA256 f485d1c36ef4591406816740d211d5297bb569ce597b085419364cf469bf57de
SHA512 bee5e7340563b3e8f8954fbe4ac95b082e72a83ddbda0b42e2ea0cf0092979105da24c04ae79f283abba5cc0b39aa6d47b31431aff3ac3c869509cfc1d9dbd00

C:\Windows\System32\TieringEngineService.exe

MD5 824a1047bb3cc8d36b0f22f0aa263dfd
SHA1 a86b45ed5f6e2fa5e133e987c860b9caeda48ac7
SHA256 e38dcc749136d8614bcdf5bd50d56da1d53843a5ef0eb3b5ed48f46829640dce
SHA512 9c5271dc417c905a3c1f3f527f8d3b03c0f1c24ee801edab3aca527efa7e7d2d3dea16ee67270e31ceaf9c1937f05af7fbcd5d4dadfb6530985fb363bed10e39

C:\Windows\System32\TieringEngineService.exe

MD5 3e0d5283b3adb0c1d6318403a0036932
SHA1 fa9879dacdb4ff295692634dcad27aad17f047ed
SHA256 e6f72bfd0e386dc2234744066419f0929f34af19c192f2871a3c08f31f2b3b80
SHA512 e8782073cd5d2b14a1241131688c10cdeef7e667280bc927b93b29705a06896301fc25f9729d5547816d278743093aab7964e6cd631bd6bcb0646e0bf222249a

C:\Windows\System32\TieringEngineService.exe

MD5 008f7f3900246efffd5e0f23d993f6a4
SHA1 38dd68944115d2dd3b53bf32c6ea36bed1a7719d
SHA256 9a1eb3e97e143d9f4191e4944573840bcb436374f44c12f0979ca8e332253903
SHA512 44d3ffbd0f448579bfd8acaca199fa2f1171aa707c108d3a9c17c1c2e02c84e2fe9a6cd38738fcc24ced47d8669e82def987d43a45875fbccca2e26d69809222

C:\Windows\System32\TieringEngineService.exe

MD5 bb8eb6f1435678e44038a171a6776625
SHA1 6649e5dcb6ef1aa02079c21003b3dde5b4ccc5ed
SHA256 78e37c942128bceb8a9dcd0d2bed31ae6e483bc87d138c02f4af9d9e5a9c67dc
SHA512 71ed9ab55e911af2a6249fd24d114e818509e2db065242dd7656a7355949962b533d599944f0fcf78b403571362ebe07233be107e74f5317be917d462bbe28c5

C:\Windows\System32\TieringEngineService.exe

MD5 5373b27c1706d6b6458665a36462edc3
SHA1 f9409e9f008d02d9f80da685c8b813c54b7b2d9c
SHA256 aff33c9bb7595417469a54eef58701793e9fb7cc6add5339201be9c4d5ee4289
SHA512 9e88656a8aee32e030c3ee58d7bde94b6c1a78c92d8192f98ba3e247df4bf943589258a9665b5d027a8feed03b5a8e4cd651c39a8d47679f623d4541834b9c93

C:\Windows\System32\TieringEngineService.exe

MD5 4915836e64664f41ea434033645a1285
SHA1 3448278b03c5e85baefc9052d7d84263d8269998
SHA256 70c5eea280af6f14627210eb1f275397ba30e3545ab10e2dba468cfd49835c3a
SHA512 cdcebbb1e3e9a95ef5aaaf0b8417a84de3d000c3bbf57da18d659082a7cbcc74af638f13a3fda1f76b99bb6d0b7697f1d4ecb607426e9c1d37699ae469413d82

C:\Windows\System32\TieringEngineService.exe

MD5 4740dce00286267db0f16facc68c9dd7
SHA1 0399822590a0dcb50c22c467615cbf3906ad8ab6
SHA256 af82642b7c381442ff8950490252f4e73a0c56e490623d09534bd9c5f84010f4
SHA512 25c48e72625f2e85f706ff5513d06cfd2eb9e20723410f404a8211b1390ef5316969c77d703c89ec4009bcec8172562cd4b6c89b5ee1c34d70d3f7a29d3b3925

C:\Windows\System32\TieringEngineService.exe

MD5 a0158965387fa006365a79b35d3c9fbe
SHA1 4bbc3a0d155c4cfd21fcc84cb99dcee16138c213
SHA256 d078c0850d633b323d7048877c90b1282d2f103e43c910ceb167e0b4318fda15
SHA512 54e648ca83076505cf935129c67a955f60310a07203df6c1d421a49e167ffab1a29b69067090a9c2818f071e0495fc1ec2aad1e9c3451061824dc9282c2107d8

C:\Windows\System32\TieringEngineService.exe

MD5 b3ad3ab94de087c39996e02a7dc917da
SHA1 d0074e080bccbc09d4610ca9f85c02cd9336aee9
SHA256 75ca07c2e03b7438d20e8146a5c21bf6fbb3ca36451e1be3b48795cda97af8c9
SHA512 6fcbc3842e249a818b5de14376f03454459f07814f095984583963bbc25a142916dc8e22dffeb81fa830d1076dd95a184f1b63698e3f48cdea5aac72ddcd90f9

C:\Windows\System32\TieringEngineService.exe

MD5 b0f7d5cb00353a0e2102795faa73b2a8
SHA1 3c38ef955283a5e94606308d30551ec16bdc6e65
SHA256 76d757b592996dd4d071fdde84b5b77a3d83ed8bd01d9f693dc9644fe1deeb6b
SHA512 cff28268cc55a4e6cea2f40204c3d78c9793d0d4c56c12a380b84b6341da6127b3ad0626c0d6ada7c2287babdac2c71b8fbfa736eaf6ed7fe19d78e17ac91bce

C:\Windows\System32\TieringEngineService.exe

MD5 08377a1a576465cc24aded9f3df51617
SHA1 1eb24e408b9719301888bce65d57cc5d28311c97
SHA256 487017813d99667ab25e3389ea682c2ce754ae7add584f5eca415054d162dd0e
SHA512 54103dcb1d5c471677bf0e5561f7ede201b807ee60c2ffbbc78efca2790bfe8ec5464aa5d3b623cdc75dfe930b8105f177615928e62bb7e125cb518b302f0b5a

C:\Windows\System32\TieringEngineService.exe

MD5 c4a7867c7acc4e9a9f31c5344056084a
SHA1 f44161dec5c78fea0038c1387da545034de79157
SHA256 63e23b5b15e1c12ff8ea9915b8c7331d0b7cd1963998e1e1b6010e162e08c17f
SHA512 82d3fe8c87b19220925b779414c9eabef15e0eb9d47fcfb096d346db1a39e2f3f0a87a5555fbb862e811d8da6d2d82499686ca75ce7eca9db407dbf6af8ccd00

C:\Windows\System32\TieringEngineService.exe

MD5 a81c156cccffacc403f40990d9c5fc27
SHA1 92476a1f288447b87bc3332cb19a9b271ebb3206
SHA256 bf239381c9df24bcf2adf1d8d294a2716c086661628157df2cd3d4e00e7ed229
SHA512 f7080e7a3c177f71e46fbc75e52b64ec5674232d31c6b18e67d766670a932f14c6e5640aa82d8063f836c1c709a683b9ccfcf8e0669b874a0caa25910e501927

C:\Windows\System32\TieringEngineService.exe

MD5 d1e311798b66e3a6cd6a0da5c04c64b1
SHA1 4000c0aa1c84ae3d2036c01da270ff2071ccc377
SHA256 83cafcf5e9c5046df5f61226d5de33a62c48a92590a4519ad84f8bd461d5c987
SHA512 cbc5c9559bb84783a3643bfc6a55b624619b3fdfa55fca21ad022d428611898b730731cacfe98dead8a95c2a3fd32bb4001042ea56503ef79a9ce8f49fd79a4c

C:\Windows\System32\TieringEngineService.exe

MD5 b802052d3a1f9ae722fcf56495a67063
SHA1 0a37ffeecd71fb66f98ffc67b57e4ba7ce65989b
SHA256 e3fc66ffb4b48cff8468bc7d7e872585b3cec2096bdfee079ac5cc8a1f5108ff
SHA512 5d8884d40488c6ac264134e9fffdf03b0ba89649b0559ae4311b751ef949ae47429fc6f1e77cad45789b58113366fd817a84d870100574fee25bbce311dd7703

C:\Windows\System32\TieringEngineService.exe

MD5 90f896cb9f2d85e3a3c49aac356565bd
SHA1 79a82eefaf498ca29f09ae4ba28d5afa0861b07f
SHA256 07059e992766b8adfc3db1a198d5d44fed27882ce62b289150790785e10c34f2
SHA512 c8fb34d9cf88c704f33cfc059fb5684f33fa72facbfced50eb632c032f99f7a1eb163c5fd447ca9f86639e42c0948a1ce51f067548091d6a48256eedb0851bff

C:\Windows\System32\TieringEngineService.exe

MD5 e57e4ed632934f604822d873626f56a6
SHA1 e3740eabd1d4e3e508ac9039a4b70b37e6f6cd2c
SHA256 850c0a54ddd456f02e9e084f3f4b1d6c69e7ac4e9faf866bb19d8085d91a21b6
SHA512 9558e3e46d52d075be889e3d32006df80b515537d8ff4f64c000092d2fa1b16a38a42966795e4015f71f7f7a7315cabdcb7b807a848f31c24c953b43bcb708cf

C:\Windows\System32\TieringEngineService.exe

MD5 20e81ddb55c88d6b062f169119fd0362
SHA1 7eb0e23e6b335838e94ad4d87bd9415010188892
SHA256 354e23c57f7f07ea5691a51f3e9439dc94b7af4baefbad4f5e8ed7e442b867f5
SHA512 5c474d2fd8bb49e9603f1121e85b60fe3827646b467b2b4e50c3d657992c2069fa259afa3c0ca91b8ca946c23c760a987a66e06c545557b5b3dc20ee135d6f71

C:\Windows\System32\TieringEngineService.exe

MD5 7b35ee723e6a03f23196cd8eb91ccbc3
SHA1 5d2cccbd1839d7086c72805dcd688dc61cabc6cc
SHA256 5a138c6121b9d2b4a53e0820364d00c90c859c287409105b8236a24e03451d35
SHA512 959c9172e1c0f3971a690b592225844eab73e11577b3b7a2a5006ea832db291b7ebc9c5aa9ee4571f6b8948573fc25dd8112a4b98a0fbb33ac6bfcf050e83e44

C:\Windows\System32\TieringEngineService.exe

MD5 39b56cd7d56251609dccc61f9ef60f00
SHA1 ea570801730f2e2f355a0e379ff353ab62f215c5
SHA256 2c10cef828ebfa34023e9059ff9920e19743048059fbc0a582e661caecf66472
SHA512 9350597eb6e8671275492085c121f626cc4987f7b5121d5566821b6d5e15ba38efe82f7e78df1a68fa8ba3c6b4c5fab36fff9ab8ec79eff34dd002360d8d734f

C:\Windows\System32\TieringEngineService.exe

MD5 42cd037fa12ba9beaf9a9be16a913cce
SHA1 bd2422305bf3c3c163edd63599c3f45e7f89d1ff
SHA256 2d1ebf4accea11cf1d4770fd8c8d637688a56dd302b5a16ea0eab3367cfa84ab
SHA512 d0b9bd59c5eabb3d17b51c42645591eb97bb3dc7e57c4b756fde11cc4721670238e927ea09c1f9fa87e92550d7087be618312df076a3bf445c261ba673916fb0

C:\Windows\System32\TieringEngineService.exe

MD5 dee06265aa651638d1dd0d359a9f9607
SHA1 06abc02eb62644208604e94bf554758c47358f5e
SHA256 20534b084080c2a5da30a7a8008fccbdbef741e5987554442636a462f0075759
SHA512 3765818cf5a92ecd847c7a14065a19372ccf4f00ca14ea29a2cb06d5c8d3d3a618085d917252286d8bc168f780045f2834f842c1bfa5a732d5b854b71f052783

C:\Windows\System32\TieringEngineService.exe

MD5 0c7a2b30576b15f7ec9e2b2ddf7f2416
SHA1 4020ba4ee558ff5d4c2be4923ccd68b5ed5915a7
SHA256 1f822e4458b73c29ce5864c70e1d742e827243dce65badbcda23f8fd456e7792
SHA512 639af410739b8fb8ccd0638a0661c87304299783dee32fdf13eb77b1eb1ca96c57a5320879b22676da78087c45ef4b75bb7367529e98d10ab4698232466f7113

C:\Windows\System32\TieringEngineService.exe

MD5 91a9ef6b5f9ed177d6f053f4a3779926
SHA1 fa9bf9cbb3e5d003feeef610628e678369198dc1
SHA256 2ffb0b22398eaa8965e98ec105a6a641e13403251dc09d06e456e17358b930b8
SHA512 c95f1945d259673a9782fead662f95dce54d4607c833363e53b5a0bbd5ca5937bc4166502f5578d4cc7746a59c51907437566e605e87437a86ec84f0af86130a

C:\Windows\System32\TieringEngineService.exe

MD5 a18ef252390c4897e4bc80e034d152c5
SHA1 545ee51437f31a0b8b822865f2d1e993f0866508
SHA256 1ffd1a9f0831c91ec5c5e375cb999b4f055e68cf6e909ecd5a698931503eb4e6
SHA512 6fc850b909c56f382efbd6fb0d212822a360c9ac233eb18ff56f7ddf8e37e8a7a29f8a3ec2b7c3626ad8edc62de2f106bb2d40a25bcd282c8e1acedbb4e24cd6

C:\Windows\System32\TieringEngineService.exe

MD5 024d10aeba77b3d41da4314cdac3392d
SHA1 bdc5c45079288a6eb397b91a1aa34207b1bd1d99
SHA256 6be2705269ae3d5a7fc9d8df8327c096b994a5d63f566d494294e69eb33bad40
SHA512 8a99ca474677f19e73ad0b8c2869a6e9bea0084b2b8f57bf0d9ad72812f51e54dce05d00c9e46ed6926aa3c0618510d8ba7201516ca5227f6569946e047b7990

C:\Windows\System32\TieringEngineService.exe

MD5 b0eb5a52f3d7274b07c025d253c6c1aa
SHA1 d42b24239c8d87436346752cd5bdc0bd73658284
SHA256 72358fb2d2682c4c5b880708a9ce76bc1a4b5ee66e65e144716a800db3545e64
SHA512 492743c562cd3a88464f8eb980675163efd6166d81e527edf9c0b0fd27514d650949bb8fcb4ebfa2e334a8bd71269c57ec67ef23ccbb0136ae5e9811c8904eea

C:\Windows\System32\TieringEngineService.exe

MD5 c204de1954f03959f8e304a05dd087c2
SHA1 b117501186c5507a15b562a69452263de179b19b
SHA256 c8141e56dd53e08d91515ab4f3a34c93b9aa048cb743c0639e74fd5444fb4343
SHA512 055a231e39a5e4fe9c5e563f172fc76cd224423eca25e0dfdc0ad1d8f8f4c6c0fe7d9f8f5ac37866000efdd3d5d72db8cb2d16997479d8f7241c024c603671bd

C:\Windows\System32\TieringEngineService.exe

MD5 3f78539193185da7ae09b1537c155ce0
SHA1 d8f239b478a8f1c0785f28586729602b8bd49b7e
SHA256 61a9558c52a3750ee580cc213569bf159c31b77cdde6a09be1292f21212790ae
SHA512 2bb16aeb67ae5ed771779cf387f294d5ab45550231f76b39be8318d5534d11b553d827ce78bc23cb6ade92bc5449449364b4586dbc2fbaa837b4d57810c1074b

C:\Windows\System32\TieringEngineService.exe

MD5 356048dadb2cbe18bd364d8d99b9446a
SHA1 25c454e4bcafc299cb847b042252b71d0d22dc5a
SHA256 749dcb83a9e43e74836a8384b12ef03f035bb5cb92d74fc3b3b0687aaf3a0b1a
SHA512 ee60659cb0adb66e17c9435801f9e70b61cae6d5d6e0a9f5c3b0d7e644f257bb79ca2a9ca09bbdc094da56b0774917a2f404cf4c79f2710af3da140452a5366b

C:\Windows\System32\TieringEngineService.exe

MD5 c04a3af637b3560b7ebb09f700f2e0d9
SHA1 5a38206ad486980643fac8de501a074a323ccfe6
SHA256 453480749cc5af97b10e4be20940ce975b8446fd37b320cdbfcece12abed4eea
SHA512 384cb04eb089ca55f86e59a09a87d895fa8984d9b955a4335dcea4337870e21fc0737fac497d703486353c772d33f59af18a2630f6f37d1fdb277b54697ebbdb

C:\Windows\System32\TieringEngineService.exe

MD5 ec8a0e2aa12dd2fb1c22945328652a0b
SHA1 8e97bdb15aaf1df33997580175d77ab014b76aa9
SHA256 0b8f0f990c60286b9051fca83249d4f569041ba0b060cdcbc6b2bae119fd9f83
SHA512 8610733b63d80595dfc95011ba81d28afe20dc5a3c9c1b5bbc57e17a61fffe459285288f87d6862a1f68ab98cfbe535e4589e2ed5fc33d9f4d1f3088b83a2075

C:\Windows\System32\TieringEngineService.exe

MD5 f14b26e96b7acce8f045122b9be33de2
SHA1 372c85f270c75bc776e823db5dfcf1db38755c72
SHA256 e330533035f0e396ac75618ea60b07388da7700febbae0aaf1de8a2112867f0e
SHA512 413b3bc03f1ac207850a136c7e8b94fb4a124173f569cabae6dd89d9b315a381ec2bca7914843b2e5a4e9167a3bf2d5971595ed07a2cbc37fbce5c24f98d9ee0

C:\Windows\System32\TieringEngineService.exe

MD5 4cf94e5b387e9ee3154c2357eb315b69
SHA1 8970357fb2ee31ecf105d4430c10ba69e5307f8d
SHA256 95ee105cdfec46036b11c752900d61483dd585896eb5e396984c73802951f247
SHA512 42f58d36fffc07fdfa18bf8e6afb6f42c9138aebd4bcbdcf19602a78557055d5559a5ec67e2a9d8ef721f0d6f318b71fb5e024ab6f2a195be127e70676f85fa4

C:\Windows\System32\TieringEngineService.exe

MD5 6256f9bc2ee142389e4db41222241e97
SHA1 c32e972424676fa557946db2db8950224ed9e79f
SHA256 43e84fa5b5477db92a9a5f2ed5ef9199ab44babf2b1ce5d66bd77020f6252546
SHA512 2f9d674a2bed981611ad4681b6e1f3f07106698b46284514940d3c911e429468843f9a08afbca1d136c55eab007cbae78160da87ccc3c50de0f70231dc24a644

C:\Windows\System32\TieringEngineService.exe

MD5 db4a9fac1f33c774990eeb3b2dbd4bda
SHA1 86d8ceeb376eaddbc2b3cf44435db636c1a1ebad
SHA256 63b66de05e1df906082cf1dbed9d00531db6d650f68aacf870f8859efa683fed
SHA512 4ef44b4fa2d42c9a2243760c2d14f679292ab8d8fe09f9ec2cba6f7a581766386bcd73cd439438204201b9792393b023c4d0c2f09c8f7116bfbf8dcb4407c7ad

C:\Windows\System32\TieringEngineService.exe

MD5 ff564fea35f641426786176f3772f55d
SHA1 1469b11050a793a0889d6a43d884e1bb3b4f56a8
SHA256 a9e6cad941fef108bd4019fd8c70989b189003062bdb5ed2ad999af8ccd6cd72
SHA512 47a729ddd51b99822103472a8abbd64981df381ceb4ff572e0f4ae65bdb8bf5284bf554e0695afe465678a0a6ff77dfc79488b130e4f7d5ecf9bd94c1d9f6b12

C:\Windows\System32\TieringEngineService.exe

MD5 2df080bcfc9fb970c6298ad57d45bd9a
SHA1 772fbafe482c97df0f407d2d1348ff31732311fd
SHA256 2b6110d12fb49892ac869c70d269764d2910df50fc91ad4bac3787f1e896f42f
SHA512 b1e136740fd364d0b49001662a8acb06d46034175dfd7029ac6ed90a9d7373ef14ca608d0632988ca3ce2d1943924076aa966b888950b6bf0ccee02af4723a65

C:\Windows\System32\TieringEngineService.exe

MD5 608acb718acd97a278a795ddef17b56a
SHA1 20ce4ae028d5df435d064e3e705a4a4e7c95a7b1
SHA256 886f9f802e7edd0c49488b8079308e0014e597532b411efd4daa40339325a48d
SHA512 e6004cee25c27393df6ca7bb656811fbd63a7574880d78e24cbeeae4e580a4a649eaab39bb927304cc75a243be9591d2f15a2c9d5a8b2e37654d2000d55519a3

C:\Windows\System32\TieringEngineService.exe

MD5 a7f45f88c278203157c0284b4b8f9e24
SHA1 33569bbb0e842b99a09061f9c63f633819ebfc91
SHA256 bde51daf73a215cdba33ff9bcd0c9cb440ec01a0a55f6935df0eda85da7e057d
SHA512 2f3c9f3d17606fb0103510396e49840a1cb045a364d17ed53e317c8861e93421d8332fc88163f784a835c927d2a92246a8db300494fd58f98bef6aa07e523cd4

C:\Windows\System32\TieringEngineService.exe

MD5 690ac1d7475f1f1eb125ffb48d757b6e
SHA1 6317d8bc373331f3e7a0d2bf675990fa9897d056
SHA256 2aa64db771bdff7d3aa7609e0af2f69bf316a38cb8432dd65cce2a3386a62b66
SHA512 a39ad9b97e6542a3822072a58c4afbb377bc2b0922db9fd5882bcaafcd8166dc91dcc6dc850c471d8f8e188c237fc81c0112b723a726c262414c45e9409e3a15

C:\Windows\System32\TieringEngineService.exe

MD5 4d2e14efcd17c6c4555e25af81259af7
SHA1 1d4cccf88988d3a3d80739b268e693445ac20a0e
SHA256 1954665733a01fecb4b1c4282574057ed32a8d267f41e1fdc70c04ac33196ccb
SHA512 45f6b684c5a250ebd5c7f517e9f838448a45c77a1134f2315b1a4687f614f5df309376c5fab61d00d7eae0687432a9e316c3da6943299ab04dc59b16b11266db

C:\Windows\System32\TieringEngineService.exe

MD5 df8bbb1910158bf315f6be2d1cab25f2
SHA1 df57e81b2d44491231411d03f153d753348e14b3
SHA256 9a3b01f28fb7bdb32831e0869e7c07dadad77df75c8c09faef1d09404c899e5c
SHA512 25346f92de4f8c113d9790d3f0c486b637958985ffc1db2ff84a499f28d683f2d9706d3d931265ba9e887466c8dfd0694e223f9e75624b6ca25b7d5885c7f002

C:\Windows\System32\TieringEngineService.exe

MD5 ca159a2ba9d73178540d48d99ac1f696
SHA1 78ca10b25ec59ba30ccf7ae7326f339dc01ec93c
SHA256 519928fc5e548485bb7ea063fcedc6598f78680b1eeff4c59cc860dd6b4001bb
SHA512 b53647a43ed50d12011b6d2b4feaad90d24bb6e407037f786021ba1fe2ba22682df223b72e8a1be28630ec8d837f6edca14f4119a3341e5b60209886daef4ac4

C:\Windows\System32\TieringEngineService.exe

MD5 a662e1010fe4ea3e5a900b331f318c7d
SHA1 759b586ab77425d338d6598a0ce5744ab91d671d
SHA256 c6c65b5d5084b21a6b2b311cf65855f22ff26f84a6734491a5895f499ce834ed
SHA512 d72266152241bf7db076367d2c5b7191278acc8bc1c5e1fe8dc671bf1dcc6c5920f4d4854a37572dfbbf35a7c397aa05add364e95e803833f2044fe52949c3ed

C:\Windows\System32\TieringEngineService.exe

MD5 c31cbbcad41780f238557209f2a1cf85
SHA1 62c55266a6bd67b41a0f4663401fd7d1e0879767
SHA256 439df15be6a6189c67a7e7b3d2ccd16cc017a2eac3222eca16926e1ed3bd8979
SHA512 6f634055ea65b80a81be4001625d00e3d5e7c7854229f42b1b9897d77376226a71c50454235e036005ffc09e06787a0277cb8db56f43639d298bf9721cd9c848

C:\Windows\System32\TieringEngineService.exe

MD5 77a60b3c6cd4ce4f041357c9599f92a0
SHA1 9f17db99ca7a15389432876f2a55ec97a7142d35
SHA256 a2fa4eb3f43f5a63333ac50c6a0ad56bfa938e4f01b1d89793c593bb6d23609b
SHA512 424208a68ada3ce40c48680a15a08ea375fa93ca40b54931ce13b8d328f58ad84001aeb46aad3977a68236ae73a6975ae87431016cdcf4880d93e1ccc70a669b

C:\Windows\System32\TieringEngineService.exe

MD5 60b52a782325031b58cbc8dcfe8a7e24
SHA1 5e08fd95249a898c7bc1e49abe6639ee5cd5f92d
SHA256 3d70d2d190e959a7fd207f202f1ca7ac2cf62a25c0fa63b3a44c08616f60a475
SHA512 6644363ec3f0d75e1cfb898788838b2b30d67b304638f530a80c57a8f69dbdd22b50a3f633145fd58b825b7d0016476579eabca28d239b23271d46ff93d12b8a

C:\Windows\System32\TieringEngineService.exe

MD5 147c27849bfaff60e9168c4fa902aad5
SHA1 c997524f590723a5bff90ae8a9af9e211e29febe
SHA256 c8e7d6c51a476614a82ce68603ab563a8bffa0c76b3d4819aa14ce12e82d8fc0
SHA512 f657bcd0b2678db614392f2a371101baf2df007165c34802043b8e340d753ea95c7cb8cba12f2d3ea8ccbc8e3138c34f20337ac4c9759f2674b2015f9e657213

C:\Windows\System32\TieringEngineService.exe

MD5 23b0b3e3cc3081b1ad02bae42712502d
SHA1 3047b08e03e97bc6b0e2c2e9dcf5a01504e5e65e
SHA256 2aa89420ec59a826fba51097fcc7a2562e9dc4a5408fb2f44ad50b63de3f7f36
SHA512 362181a827592cc3dd6d811ae863a1e9ce5794459c6db60cc2af1bd11871eef5e0d9cd9d48df0559e207599805c64a209d67785b6249ca3f76663f63070603b7

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-05 12:29

Reported

2024-11-05 12:31

Platform

win10v2004-20241007-en

Max time kernel

102s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\reg.exe N/A

Disables Task Manager via registry modification

evasion

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe BATCF %1" C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\SpatialAudioLicenseSrv.exe C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe BATCF %1" C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe CMDSF %1" C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe JPGIF %1" C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe VBSSF %1" C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe HTMWF %1" C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe RTFDF %1" C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe NTPAD %1" C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe NTPAD %1" C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe NTPAD %1" C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe NTPAD %1" C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1308 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\reg.exe
PID 1308 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\reg.exe
PID 1308 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\reg.exe
PID 1308 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\reg.exe
PID 1308 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 1308 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 1308 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 1308 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 1308 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 1308 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 1308 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 1308 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 1308 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 1308 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 1308 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 1308 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 1308 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 1308 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 1308 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 1308 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 1308 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 1308 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 1308 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 1308 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 1308 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 1308 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 1308 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 1308 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 1308 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 1308 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 1308 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 1308 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 1308 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 1308 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 1308 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 1308 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 1308 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 1308 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 1308 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 1308 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 1308 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 1308 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 1308 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 1308 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 1308 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 1308 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 1308 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 1308 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 1308 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 1308 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 1308 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 1308 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 1308 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 1308 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 1308 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 1308 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 1308 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 1308 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 1308 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 1308 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 1308 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 1308 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\takeown.exe
PID 1308 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe
PID 1308 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe C:\Windows\System32\icacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe

"C:\Users\Admin\AppData\Local\Temp\458593810dc256bbc2aa7e756deab2b201acc3966c8144a9098e5c02ab0eee03N.exe"

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\bfsvc.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\bfsvc.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\HelpPane.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\HelpPane.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\hh.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\hh.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\splwow64.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\splwow64.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\winhlp32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\winhlp32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\write.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\write.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\raserver.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\raserver.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\msra.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msra.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\quickassist.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\quickassist.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\sdchange.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdchange.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\CameraSettingsUIHost.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\CameraSettingsUIHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\logagent.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\logagent.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\rrinstaller.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\rrinstaller.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\gpscript.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\gpscript.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\mavinject.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mavinject.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\provlaunch.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\provlaunch.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\msinfo32.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msinfo32.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\runas.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\runas.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\mstsc.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mstsc.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\SysWOW64\sdiagnhost.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdiagnhost.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /S ZTSLLRFH /U Admin /F "C:\Windows\System32\SpatialAudioLicenseSrv.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /INHERITANCE:e /GRANT:r Admin:(F)

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/1308-0-0x00007FFAC2433000-0x00007FFAC2435000-memory.dmp

memory/1308-1-0x000001DA67F50000-0x000001DA67F78000-memory.dmp

memory/1308-2-0x00007FFAC2430000-0x00007FFAC2EF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\temp.bak

MD5 4e4d06b6b8b4894dc2fcff09f3614acc
SHA1 0bca7ad4d18fa88584e3178db684be5479c73db9
SHA256 d0c6402a35b68b7b26eb7e3aead298d49b62ad25dc56221e28ab8ae880ee19a5
SHA512 ce3650d26b63045cea02ff21cd3e4e2049ef1f6640b0a94d3acd4e5122f57f1882a195cb2e24bc774062a5d566f0ec888344fb865aeb6ede99844159d4e728ff

memory/1308-1254-0x00007FFAC2433000-0x00007FFAC2435000-memory.dmp

memory/1308-1405-0x00007FFAC2430000-0x00007FFAC2EF1000-memory.dmp

C:\Windows\System32\SpatialAudioLicenseSrv.exe

MD5 20b8318cb790424c19f1c88de164e7f2
SHA1 15ba100d3d7b2d6c5fa12a75b2650453d6f0fdf5
SHA256 b8ec1b2c5836eec20a3c9339fb16273ac03d21817b490ec795964d7cbdf9f212
SHA512 0296285e514e9ff16a09dd991fd3c91a4326f1fea542e3c1bbfaca32c6a3765307317faaa7e422a2820ba24da9cb19d437cf59e34dc16ca4d9a5dffe5df6eac7

C:\Windows\System32\SpatialAudioLicenseSrv.exe

MD5 a7d9f4177a38a6c2c1144ade6c6fb16d
SHA1 d172a4986e451409dfac1cb634cb10e578fec77b
SHA256 60f98f653013a865205f95b9458fc14b5149c1cda4b3b79f90590740cb312723
SHA512 bebfe1af970c6a3bd4ea050177258ad09c2e619e23fe08c181775ae615222368055e23738571ec92d4292828eaddff209de81001952d1f1f5614e8d3ea2da456

C:\Windows\System32\SpatialAudioLicenseSrv.exe

MD5 164cfd4f73f51d210c8cf6c1442b6d3f
SHA1 286b3d6732e7092b647ae361e36e489532e322e6
SHA256 721ad4398c57e680166c255625d9d7b71a564194e543deaae2f332d5601204bd
SHA512 47452a6b40cd234935c53b45d80cf71bb50021d6660ec814960138317072054c8d84e4509927891da79de2240b4a4402108ee65240cb7608e148ad0d600d0a95

C:\Windows\System32\SpatialAudioLicenseSrv.exe

MD5 3e86ce906642c6791ee9d7abc5978127
SHA1 96114aeac8221a53f131eade5230875c1747fe12
SHA256 36d23a696b25666ddc3c4e665e489ee2803a9d65aee13178d558e57f1255d263
SHA512 33dce42d52380774ff082c8726ef08281ca6bdc2624d0bded0285494ed2a7f3f2cfc43dc41f1f4df903aa3dc649e55735da2bd93523d14dbbbbde5af43ef1aab

memory/1308-13201-0x00007FFAC2430000-0x00007FFAC2EF1000-memory.dmp