8186eef16b08ab5e7f4b64fe8963d3789e2dac0ee3b87a0307074f82e7022f78

Analysis

max time kernel
119s
max time network
127s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14-10-2023 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
Size

352KB
MD5

39cbdd80113c3daeec9bd0aa8f09cf90
SHA1

4c84998aa5b6f0511d3427c369cb53dc84a14be8
SHA256

8186eef16b08ab5e7f4b64fe8963d3789e2dac0ee3b87a0307074f82e7022f78
SHA512

11c1b829ab8af7e3586d6106e94613530276740106f7b1d1f7cbb9a1d18fda8c7f01d1784df8e10fbcc824edea3f5fbf2df837fcdbf6c23345e647e277a68cd8
SSDEEP

6144:/pW2bgbbV28okoS1oWMkdlZQ5iinNrv2SxhIP4i:/pW2IoioS65xTi

Score

10^/10

discovery evasion exploit persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables Task Manager via registry modification
evasion

Possible privilege escalation attempt 64 IoCs

exploit

pid	Process
2484	takeown.exe
4372	takeown.exe
1220	icacls.exe
3300	takeown.exe
4992	takeown.exe
4264	icacls.exe
2436	takeown.exe
1016	icacls.exe
2780	takeown.exe
1244	icacls.exe
1640	icacls.exe
3368	takeown.exe
4740	icacls.exe
1740	takeown.exe
1760	takeown.exe
1080	takeown.exe
3584	icacls.exe
4588	icacls.exe
5040	takeown.exe
2532	icacls.exe
3124	takeown.exe
3188	takeown.exe
3576	takeown.exe
2664	icacls.exe
3908	takeown.exe
5092	takeown.exe
2320	icacls.exe
628	icacls.exe
1392	takeown.exe
1152	icacls.exe
3624	icacls.exe
3668	icacls.exe
1044	takeown.exe
2152	takeown.exe
568	icacls.exe
5060	icacls.exe
2924	takeown.exe
1656	icacls.exe
3692	takeown.exe
3916	icacls.exe
4016	icacls.exe
2856	icacls.exe
1696	icacls.exe
2628	takeown.exe
1516	icacls.exe
1756	takeown.exe
3232	icacls.exe
3704	icacls.exe
4140	takeown.exe
4916	icacls.exe
1288	icacls.exe
964	icacls.exe
3824	takeown.exe
4848	icacls.exe
1072	takeown.exe
2052	icacls.exe
1876	icacls.exe
3116	icacls.exe
2980	icacls.exe
4216	icacls.exe
1984	takeown.exe
3208	takeown.exe
3996	takeown.exe
4968	icacls.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5012	icacls.exe
1740	takeown.exe
2700	icacls.exe
3412	icacls.exe
4992	takeown.exe
2664	icacls.exe
1760	takeown.exe
1008	icacls.exe
2580	takeown.exe
3392	icacls.exe
4472	takeown.exe
480	icacls.exe
2180	takeown.exe
2484	takeown.exe
948	takeown.exe
1048	icacls.exe
2168	icacls.exe
4372	takeown.exe
3068	icacls.exe
2512	icacls.exe
4036	takeown.exe
4632	icacls.exe
816	takeown.exe
1056	icacls.exe
1668	takeown.exe
2808	icacls.exe
528	icacls.exe
5060	icacls.exe
1540	icacls.exe
1604	icacls.exe
4656	takeown.exe
2740	icacls.exe
856	icacls.exe
240	takeown.exe
3852	takeown.exe
1288	icacls.exe
1876	icacls.exe
2468	icacls.exe
5108	icacls.exe
2856	icacls.exe
2452	takeown.exe
696	takeown.exe
1044	takeown.exe
844	icacls.exe
1416	takeown.exe
2744	takeown.exe
3232	icacls.exe
3968	icacls.exe
4712	takeown.exe
1512	icacls.exe
1984	takeown.exe
1128	takeown.exe
1820	takeown.exe
4612	takeown.exe
4792	icacls.exe
2116	icacls.exe
1656	icacls.exe
2840	takeown.exe
3208	takeown.exe
1516	icacls.exe
2380	takeown.exe
3312	takeown.exe
520	takeown.exe
1768	icacls.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe BATCF %1"	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\waitfor.exe	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 13 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe NTPAD %1"	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe CMDSF %1"	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe RTFDF %1"	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe JPGIF %1"	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe HTMWF %1"	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe NTPAD %1"	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe NTPAD %1"	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe NTPAD %1"	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe BATCF %1"	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe JPGIF %1"	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe JPGIF %1"	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe VBSSF %1"	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\icofile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe JPGIF %1"	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2568	reg.exe
2564	reg.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
Token: SeTakeOwnershipPrivilege	2832	takeown.exe
Token: SeTakeOwnershipPrivilege	2924	takeown.exe
Token: SeTakeOwnershipPrivilege	2336	takeown.exe
Token: SeTakeOwnershipPrivilege	1748	takeown.exe
Token: SeTakeOwnershipPrivilege	2324	takeown.exe
Token: SeTakeOwnershipPrivilege	520	takeown.exe
Token: SeTakeOwnershipPrivilege	816	takeown.exe
Token: SeTakeOwnershipPrivilege	2884	takeown.exe
Token: SeTakeOwnershipPrivilege	1760	takeown.exe
Token: SeTakeOwnershipPrivilege	2668	takeown.exe
Token: SeTakeOwnershipPrivilege	1564	takeown.exe
Token: SeTakeOwnershipPrivilege	2672	takeown.exe
Token: SeTakeOwnershipPrivilege	2712	takeown.exe
Token: SeTakeOwnershipPrivilege	1680	takeown.exe
Token: SeTakeOwnershipPrivilege	1732	takeown.exe
Token: SeTakeOwnershipPrivilege	1740	takeown.exe
Token: SeTakeOwnershipPrivilege	1576	takeown.exe
Token: SeTakeOwnershipPrivilege	892	takeown.exe
Token: SeTakeOwnershipPrivilege	2280	takeown.exe
Token: SeTakeOwnershipPrivilege	1716	takeown.exe
Token: SeTakeOwnershipPrivilege	3020	takeown.exe
Token: SeTakeOwnershipPrivilege	2068	takeown.exe
Token: SeTakeOwnershipPrivilege	2476	takeown.exe
Token: SeTakeOwnershipPrivilege	1992	takeown.exe
Token: SeTakeOwnershipPrivilege	3012	takeown.exe
Token: SeTakeOwnershipPrivilege	2644	takeown.exe
Token: SeTakeOwnershipPrivilege	2180	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2564	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	30
PID 2548 wrote to memory of 2564	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	30
PID 2548 wrote to memory of 2564	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	30
PID 2548 wrote to memory of 2568	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	31
PID 2548 wrote to memory of 2568	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	31
PID 2548 wrote to memory of 2568	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	31
PID 2548 wrote to memory of 2832	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	34
PID 2548 wrote to memory of 2832	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	34
PID 2548 wrote to memory of 2832	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	34
PID 2548 wrote to memory of 2808	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	36
PID 2548 wrote to memory of 2808	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	36
PID 2548 wrote to memory of 2808	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	36
PID 2548 wrote to memory of 2324	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	38
PID 2548 wrote to memory of 2324	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	38
PID 2548 wrote to memory of 2324	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	38
PID 2548 wrote to memory of 1288	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	40
PID 2548 wrote to memory of 1288	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	40
PID 2548 wrote to memory of 1288	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	40
PID 2548 wrote to memory of 520	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	42
PID 2548 wrote to memory of 520	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	42
PID 2548 wrote to memory of 520	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	42
PID 2548 wrote to memory of 1976	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	44
PID 2548 wrote to memory of 1976	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	44
PID 2548 wrote to memory of 1976	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	44
PID 2548 wrote to memory of 1748	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	52
PID 2548 wrote to memory of 1748	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	52
PID 2548 wrote to memory of 1748	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	52
PID 2548 wrote to memory of 2116	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	45
PID 2548 wrote to memory of 2116	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	45
PID 2548 wrote to memory of 2116	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	45
PID 2548 wrote to memory of 2924	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	50
PID 2548 wrote to memory of 2924	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	50
PID 2548 wrote to memory of 2924	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	50
PID 2548 wrote to memory of 2320	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	48
PID 2548 wrote to memory of 2320	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	48
PID 2548 wrote to memory of 2320	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	48
PID 2548 wrote to memory of 2336	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	47
PID 2548 wrote to memory of 2336	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	47
PID 2548 wrote to memory of 2336	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	47
PID 2548 wrote to memory of 1372	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	55
PID 2548 wrote to memory of 1372	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	55
PID 2548 wrote to memory of 1372	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	55
PID 2548 wrote to memory of 816	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	58
PID 2548 wrote to memory of 816	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	58
PID 2548 wrote to memory of 816	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	58
PID 2548 wrote to memory of 1512	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	57
PID 2548 wrote to memory of 1512	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	57
PID 2548 wrote to memory of 1512	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	57
PID 2548 wrote to memory of 1576	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	59
PID 2548 wrote to memory of 1576	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	59
PID 2548 wrote to memory of 1576	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	59
PID 2548 wrote to memory of 2856	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	60
PID 2548 wrote to memory of 2856	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	60
PID 2548 wrote to memory of 2856	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	60
PID 2548 wrote to memory of 1740	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	63
PID 2548 wrote to memory of 1740	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	63
PID 2548 wrote to memory of 1740	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	63
PID 2548 wrote to memory of 1752	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	81
PID 2548 wrote to memory of 1752	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	81
PID 2548 wrote to memory of 1752	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	81
PID 2548 wrote to memory of 1732	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	80
PID 2548 wrote to memory of 1732	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	80
PID 2548 wrote to memory of 1732	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	80
PID 2548 wrote to memory of 480	2548	NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe	78

C:\Users\Admin\AppData\Local\Temp\NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.39cbdd80113c3daeec9bd0aa8f09cf90.exe"
1⤵
- Modifies system executable filetype association
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2564
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2568
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\bfsvc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\bfsvc.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2808
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\HelpPane.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\HelpPane.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1288
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\hh.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:520
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\hh.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1976
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\splwow64.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2116
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\write.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\winhlp32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2320
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\winhlp32.exe"
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\splwow64.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1748
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\write.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1372
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\raserver.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:1512
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:816
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\SysWOW64\msra.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msra.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2856
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\SysWOW64\quickassist.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\CameraSettingsUIHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:628
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\SysWOW64\logagent.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2280
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\SysWOW64\gpscript.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1564
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\rrinstaller.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:1696
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\SysWOW64\rrinstaller.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\logagent.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3032
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\SysWOW64\CameraSettingsUIHost.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:892
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdchange.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:480
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\gpscript.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1724
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\SysWOW64\sdchange.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1732
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\quickassist.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1752
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mavinject.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:3068
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\SysWOW64\mavinject.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\SysWOW64\provlaunch.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1760
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\provlaunch.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1528
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\SysWOW64\msinfo32.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msinfo32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:1016
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\SysWOW64\runas.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2672
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\runas.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2740
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\SysWOW64\mstsc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mstsc.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2700
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\SysWOW64\sdiagnhost.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2884
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdiagnhost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:1048
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2476
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1992
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:624
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3012
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2464
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1300
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:596
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3020
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2344
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:1056
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2180
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1044
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:432
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:1220
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:560
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:528
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Modifies file permissions
  PID:2380
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:964
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:1072
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:1008
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:1340
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2040
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:2152
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2052
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2484
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2016
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:2724
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1656
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:2676
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2168
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:2552
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:568
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:1796
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:944
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:1800
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Modifies file permissions
  PID:1416
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:968
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:844
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:2436
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1452
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:2776
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1876
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Modifies file permissions
  PID:2452
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2524
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:2780
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2792
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Modifies file permissions
  PID:2840
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1120
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:1080
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1616
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:1116
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1708
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Modifies file permissions
  PID:1668
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2432
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:2628
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1660
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Modifies file permissions
  PID:2744
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2512
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1984
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:1244
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Modifies file permissions
  PID:2580
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2216
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:1172
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3056
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:1744
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:1640
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:1392
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:1152
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:1764
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2388
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:2188
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1448
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Modifies file permissions
  PID:1128
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:856
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Modifies file permissions
  PID:948
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:2004
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1060
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:1768
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2836
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:800
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:280
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2532
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:2024
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1864
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:2104
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1516
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Modifies file permissions
  PID:240
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1692
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:3116
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:3108
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3092
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:3084
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:1756
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1436
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:1508
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2608
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:3124
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3152
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3208
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3196
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:3188
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3232
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:3368
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:3392
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:3404
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:3412
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:3428
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3488
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:3576
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:3624
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:3648
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:3692
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:3668
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:3704
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:3824
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3836
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3864
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Modifies file permissions
  PID:3852
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:3916
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:3940
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:3908
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:3968
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:3996
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Modifies file permissions
  PID:4036
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:4016
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2468
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:3080
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3132
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:1624
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:1540
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:2100
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2560
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Modifies file permissions
  PID:696
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1472
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:1632
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1184
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:3300
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2664
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Modifies file permissions
  PID:1820
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2300
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:556
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:1604
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:3308
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3848
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:3584
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:4140
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:3536
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4028
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:2904
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2980
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:3964
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3884
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:3936
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4176
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:4216
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:4204
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:4240
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4276
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:4304
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4336
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4372
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4392
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:4416
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4444
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Modifies file permissions
  PID:4472
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4500
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:4520
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4536
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:4556
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:4588
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Modifies file permissions
  PID:4612
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:4632
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Modifies file permissions
  PID:4656
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4696
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Modifies file permissions
  PID:4712
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:4740
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:4764
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:4792
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:4820
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:4848
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:4880
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:4916
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:4944
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:4968
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4992
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:5012
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:5040
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5060
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:5092
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:5108
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  - Modifies file permissions
  PID:3312
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4184
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:3400
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:4264
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:3720
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3220
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S YETUIZPU /U Admin /F "C:\Windows\System32\waitfor.exe"
  2⤵
  PID:4128
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\waitfor.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\jr0QQ1XF69.exe

Filesize
352KB

MD5
78e637401271603976b3b7dd42aa2287

SHA1
b07538c4d70c39b0430ff8f706fc23dd2b640425

SHA256
e15ecdeef7a7537ea992af51d9021ad6c303b351b5322baa017a7b2ae1c2c631

SHA512
896d7277bb2e5f5f9727a3de04b86654ef39868f82b61cf1e00f2ab1a1a2642bca95233a65bfc43538cb921f79df5af087eb5dc89dfb78aad329d0382beecd3f

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
352KB

MD5
dbf0485f8362d5eb02f62480b349e3a9

SHA1
fb0d34384e7efd82b84e26355affa5cb123ed7bd

SHA256
2ffd5c2ed6de0a1795aea79830f71100f207c39266f69972473710adf28fb544

SHA512
a9e8daca7216bb8fd072815d62c97051ad1d4326672ad52274756a37e63d469450eee67a188748ad9a146bb081be7657efb060f57b9119d2b8fc91f1d08fdff0

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
352KB

MD5
8368ede63e8cfce6a427b8dbe778d504

SHA1
8f8fb9cdaacba64a0c8e00ba93e0478d7621aa81

SHA256
8628d9d435b8111343365ad54babf9e26823261ed3bf0230dd409557bbba80b7

SHA512
d0fefc280b9388028b107145e66c41483eb7ca85f0e1e1f5704c416385224e351ad057bb21485c32c066089bed223eddaef7d92883f0407667db1ba82af029ea

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
352KB

MD5
ef365ad0c0517c215620c87a9e06a604

SHA1
3926e58edaa35c6321483e14e7a5353e75da2901

SHA256
d5da3957f2aeba63fe57a430f3a27941bc5328cf33897c5a590cb79b8a80fd6b

SHA512
fa5eaf6bb216f447bcfe34d6d42142fafd192821b4e28b1b8de10206b3f49ab957be2b2415816b3e51b02b76effa6c0fdad4177ea8b56f70a0252d00a0cd2501

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
352KB

MD5
4bef682111605e61bb8c4d03cf65e793

SHA1
e39350181f887051066cf07b32f3dec4376d13c6

SHA256
99d7d1236653af48a3cfbbed53a4739153828c8f311bad52afa4791aece0d7e3

SHA512
80f554f293afb7fc9f451671ca4238352fb7b690596c9807660012e911e0046f2039a13a1c62c8e4b8e766d52dd7d18bce906eb6dd490f1107aa4e83e3d05b33

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
b1288dd98f7e6d1ec0463600ca47eef7

SHA1
177d5e16411f3a4c601d964ffec69aacf9d48f9f

SHA256
54d7e154cb8b066ca82510576f7558fa0737ab9f23cb1c8fbefffb797d2725e3

SHA512
f17c8efb0997e95c469410747d1d47174df8a251ccbbb9b209dbdc2bf09585f8698372f25460ff7528bf544819b73be5d5cb348db3d0f1ce9cf3374f4c1c4acf

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
8ab521c342b40b9ddcdee96a9fdafcd0

SHA1
bc3e851d627ad0049a5bda842fc40cd22344bd26

SHA256
846ca6f33edaf9353ad28560324341ce858c1929842c237d3bf0ef9a8d5e4f86

SHA512
1652f4e7c2359c326ff6b5e11e86222cd93db996a94e33f557be4bc6480ff580bb84371284a40d05a0d2531fdb62afdbe00266f9cd8464546a5705d7ce9a2940

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
44b4e9bac8023872b035a8fcd3dccaea

SHA1
a072f2d050c3a20f33906a89cf7719765d8b4638

SHA256
e5b8b35fe501a1c2b3a241e28be62a91adf3376d362ba633ea69b763b04ce219

SHA512
567b5cf6639ce631d7c72fddab13ad7144f3d598f47ebba23326b9cedbcab67f5cea0b89d11434e0e994a3640fe4026d7412a392adcb46ee7832f7b91f761c21

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
f842a54c0d561b0e1a72b0d5b33fc1be

SHA1
68ecf644a65b2525933452e443b33862d83d95e8

SHA256
512e6a4739fab16df1eab043e2b121ee5b33e9913adba6f430e2179004492a58

SHA512
1576818723425a8ce47f054f8e8e5f66ff06149963655cba86a2920938828d763a4d5c959b072aed9fd874b59eff080c4e8da42a34da75542955aae81482aaea

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
20e27bf10c72ce060a1eac0b115ff770

SHA1
c3c01abd1bb063fd453f9805265ce1c4b68e7af8

SHA256
6025481df6ae595733ac5e4bf0bab1c8d456cf40dcb475b1408fc46b5a8dd260

SHA512
0b32943a8dbc57a6659b37f647df0ae1c135d4f2e252d6a8f951771d9fab5e1732fb9d8418ce4c7b3bb038250e710bc5e26e1ccf73ae31f5d086369e24179753

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
8b6a44c3a27a5020bde108e7146a4d5e

SHA1
fe35782ac7f4bd94d35331d57270848c475193ea

SHA256
dc68673bc39071ba14c24f0f2a07a7e8d812778f809a6434096fb2fb92f34f5b

SHA512
90b96019d79abb343212607050a17d44962a8d10db225e5b4ec8325dc5c096c022a76c844e3b0d95a8825ae2e4c6e6b50bc0e28550f0fe6dc37a0302efc0559a

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
8b6a44c3a27a5020bde108e7146a4d5e

SHA1
fe35782ac7f4bd94d35331d57270848c475193ea

SHA256
dc68673bc39071ba14c24f0f2a07a7e8d812778f809a6434096fb2fb92f34f5b

SHA512
90b96019d79abb343212607050a17d44962a8d10db225e5b4ec8325dc5c096c022a76c844e3b0d95a8825ae2e4c6e6b50bc0e28550f0fe6dc37a0302efc0559a

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
192KB

MD5
a662e1010fe4ea3e5a900b331f318c7d

SHA1
759b586ab77425d338d6598a0ce5744ab91d671d

SHA256
c6c65b5d5084b21a6b2b311cf65855f22ff26f84a6734491a5895f499ce834ed

SHA512
d72266152241bf7db076367d2c5b7191278acc8bc1c5e1fe8dc671bf1dcc6c5920f4d4854a37572dfbbf35a7c397aa05add364e95e803833f2044fe52949c3ed

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
5f93335bc9c0d8c10b51776d044b105a

SHA1
629be3d7a8ff2776f60ae7a4e8de64a7cc580157

SHA256
afde01877be17d629f6e074fa0030fe091e22f6e217a178be0df1f493bd99815

SHA512
e4ac132c89ee0cad4addcffd26c0bf868419af8939f8261cb3e0211b692088a5c9bf32965851bc16da6eb66fbddc0591438863cb226350b241d935730d13a69a

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
667282d93a96904d587bb7efadfc2769

SHA1
7ef4b74a706446f0ba7ff689c4d547f46a26bbcc

SHA256
92a2673471badd20a00e341b34e787f5b48b0dc50338af6cdc441f2fad12d1f1

SHA512
4d3764f4a2a1d4d709d472e748291aaa80b32120dfaca0e1c7821355035cf7b3c2695768be35c1d735275abd893ce397018cbca25993e552d551488982244b36

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
825586fbc23ccca78716e9611cf1c7b4

SHA1
9f2b06887de842efa32d3094cfd9dc374ea4a171

SHA256
313aaf7b2e471af4ec6e6d221106efee4a7ffef781b5ffd4e806549ea6f8d33a

SHA512
dc5638ee8aace259ef0a2267db7dc16464553230ce33bd79f654e4567b1cf6c6fff155a006ab65a0e34318e8271013dfadc5488efd00de10b629019ae0bdac4d

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
23fdb620c60d3cdaf2fe05149ce83c71

SHA1
fe498d18dfe820e30663c6446dda8081c9931c06

SHA256
d3e24a761fc30f068d3b42a48e3ba6c82ccf9c32e9572d50ad416f39e6fdc0c0

SHA512
2b28d8d170bfe1a5a81271b5a1a42715aca5e7632da9938dff1e486fc0aaaa7581c57e45ca395221cd7af1c69c1468b9eabf4fca739b1d88ad9a340069d42868

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
25b21b87b17b3f1697dacbb84c53d9ec

SHA1
c9ccedc3be351c520a70055e80c0449cde0e711d

SHA256
6c0baf70b0d4a20bf2a8c0b4bcdea23cf8b623236de548c5774bcf55a3fdc770

SHA512
1f6ea1fed7983ab41f981affabd40f8d4fc3f1e7870b27ece5c972b2874124cc76ef063492e8e3847d5911279b5e3e7b13eceaa1c4469ea1428f23002a6f6ba9

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
c6d490ce4117e432c2d34f9b33a3aa66

SHA1
9ecfd8b635d2c098f0eb5e5429760444e376f4f6

SHA256
260cc6816a3c7de27d380fad121c1f06b34f98830dd41529cc387b156e35e421

SHA512
2e9645da7723ff296b29d0d2d892cbd91ed9225f9eacacb1b1627f0d3b27d6b916ee2d3379438477923898b4efda9ec047f047e7fbc4a95ac48ada307cb47e6c

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
6d94c79aa338701da96a8dde813f7224

SHA1
7cf092914a1360f548161173281ae1e9c6f23d1b

SHA256
49340ea9ad53198414d4f28022172beaef3ab388d2b94f54307b8fb3348b1140

SHA512
602d80d1d0caab9985fda8810b4d009063798b3d2939c707bf8989ac79a3d63e86a337bb65929fc3deb3521d264ddbba5ce46f20bef108e7d3a6ccd4ea4b176a

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
997f28842f58b838c9e43674373c3c0f

SHA1
4e0d4876e51ed711940a8296b05101391e26dd4b

SHA256
f7ff5f8aebab262e9f2d087c91fcd70282fddea005363eeb5a3d275af378d87f

SHA512
f36764eae681cc4addff14b5703e27542ed42ccb825990c787f02e87a1817622f365e30c10f8dc34a37a0b9f8ae22c98585067e03fd724d82951cf6c60c28c55

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
997f28842f58b838c9e43674373c3c0f

SHA1
4e0d4876e51ed711940a8296b05101391e26dd4b

SHA256
f7ff5f8aebab262e9f2d087c91fcd70282fddea005363eeb5a3d275af378d87f

SHA512
f36764eae681cc4addff14b5703e27542ed42ccb825990c787f02e87a1817622f365e30c10f8dc34a37a0b9f8ae22c98585067e03fd724d82951cf6c60c28c55

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
31da67b8873a2f0ee0dcc4324815b3bc

SHA1
6c1a16ac41d8e52fb8a60e8d8557ddac6cebf871

SHA256
0e880e81deca5d8c982b6cfa89481859d9d44d225b2bbd90e775f6da20404560

SHA512
e8d319c8b2b9076065e0260639fe4e85ae9d40cf507143e5a8b0550ea87c612e29435eab66f99fa792ecd6c0f522316a4179f13bbd3624edbf2a2c9d6755bed4

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
dc01e1694cce8c17a8b0deee31cc2ac9

SHA1
c19203b95b6b2f8453157e79eeda3045cbc3d2c3

SHA256
16b08f01b409cd8c262f97e472876046b8f5a3225d048e937f1aeb374387273c

SHA512
1a4d286b953c9725ae7f9e65a98f6d4e98eab1ca27d60cdde6de9edb8ae3c9f8edc12e5f3bfcd4e4a6c68884bcdf0aa9368312a55b0f24ad9e9f54dfb14a6715

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
6b4423aa40b0ec43c78f70d2c6d2a7d5

SHA1
8f6c0d0bf492bbcff7b23430282c6cff2035fbf9

SHA256
c2fccba4fbe73a70abb955d065c919103f481173c0c32fb85099057bb476bb1f

SHA512
f1c62cc9b403bd2bb14fe82fb80b50b28265f351e61f76e4c6b946c7a04225867604fbbbfd4c0406de2b98f3a40d3dd400e5531cb874f4810d554a2da94b8b15

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
cf7605a604ea07875e44185056cc6446

SHA1
189967c654a466aa18aff6302fea688ff8d641ce

SHA256
c4f73eda546ab111335342d459acb0b096876be2db92fadb2e94f596d187254f

SHA512
99e0102334652e8f1f0fc87459580998a11e612898310fde767fbb8ba01b2c6bac7ed9c1715c5865ab511744e0a00735297c99682447ebfaf13c1414f1334ab7

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
95f4373bccb48dfa72ff7ad6cf7d1f3a

SHA1
1c636acd31b1720b37d5f73dec82d09af6267ded

SHA256
1c1079ef20306d482b6e68c48667abc925b66719829d9ab8ae44200d410eb159

SHA512
dc74f9b48ffe55da777fae793b71763f1fd4de35c64d150f45238a5860a1e30c6b86d64cb6d5cc8c0e190e733dd020b3ab87473c8375907f1817298a9a65df32

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
95f4373bccb48dfa72ff7ad6cf7d1f3a

SHA1
1c636acd31b1720b37d5f73dec82d09af6267ded

SHA256
1c1079ef20306d482b6e68c48667abc925b66719829d9ab8ae44200d410eb159

SHA512
dc74f9b48ffe55da777fae793b71763f1fd4de35c64d150f45238a5860a1e30c6b86d64cb6d5cc8c0e190e733dd020b3ab87473c8375907f1817298a9a65df32

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
24bcae09173939dc0a32ae79f03d8f09

SHA1
7734dbf08bf6bcb21a40b865b25a949a9878a4c5

SHA256
c2b45ad3bd3edbf6c86da975a88f9226854597a149a3c46cba38fa56b7d8b4e6

SHA512
8dae5696516f7bb699f8e56916769e105bf63df87d8d7d7ab7bd96a58e65f4878002fb27fa21ed5ea0a0c7e2d34267bc4376883a21802fbec878a94508807bcb

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
320KB

MD5
f333c8d25bb7017ff2332810139f2f5b

SHA1
bda7c505d7f66b36ee770d21f2c32d887c93f94e

SHA256
a0d8e004ae5987e8226bd0fa8c296692f37a5a738a17d008bf4e5813fb65552d

SHA512
4b7d70a444a8b8b1b3298640c8d352301c4adb64094f710fa24d3b1d1f0f5910439267449697ab64aee7c3faa075f2c7025f5f4e532903a2fd53186ece934296

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
8e75cc0e19a3205c14d327b9f2a6b8af

SHA1
44b7f3731e5add81859d5481f0e81615f2716f46

SHA256
c56c7b2c247e9a61d69c9b85fea312bb873d5f43a6291be27d07e25132b2ec2f

SHA512
b261889fc4aeffcf8e069cbf7b7247efc9a410e98075bc198560137729f1a416f3c477b0b1bdfbe886594ed4d3632eb3811ad78f4076a0ea131c3c20d62ce2ec

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
f61ca23634112071b7917c07720081d0

SHA1
c463cad2829350ccbaa3b08421705739f26391dd

SHA256
678b5476f24e0b826ff4bc583cd6d29f2d5138fcd7f5cf703701933b247cceb1

SHA512
a895b8554b5dcf38f1674c120651271d6a5a5b4c50d245117a4eb71398418a741da864336a4627dfc9ce7e9d9a02abf20c6b75bc0857442fa1e4461e45b59dd5

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
1980f141e0cfd00f91f1bc3bd43b8b6a

SHA1
769d5e184dbc99a8f7fb9b1fc9338574f7582be6

SHA256
ca59582264089de0b1a8f203fe2353c01d09ba81b349cc61c1a151680e3f0074

SHA512
0e440dd8300c805bbd798ba5c2ddac5c6bbde7c567378d1ee43e6aca56421ef8264a58d84127fc8dc5e553cd52a39cb9e169a2f8647ed047bb50de990c7ff1e8

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
842c2dd41a09e90ec052796950aad1fb

SHA1
7901ba095241b008ca64000062929428babd97e8

SHA256
6e27f4dd076e280b3082cc8300bb6007a23d8e5bc05d9197d73e99a5b2bf6e66

SHA512
3bb6e9f8ebed1179469277013010a7ef5a8378ead8c4ceb470f8b4b84fc72059ba1ac30845f88cc66ff7a7e2df5be1cdce83ff29a28b279b4f9997fa41e5510c

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
163331f82efdf08b76519302cb797118

SHA1
0af17bf17b0a61b9a227db88667c0ebea03e645f

SHA256
0a20fb14b236b9c82b95d33f5cbaf17206ff4eae1239284dc7cacf31873e017f

SHA512
2e96358970ae0a73c8f3dd46282f9aee63ac0bec8117cdfb8e25529d7a55f37b5f665baca395562bf9071cb4745510f2cf7ee3ba8ea12d35b2f1230de65677ac

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
9d102dacf275474c271af1fdef826a3e

SHA1
68a825c0dd32889442e3d14a051a8143085aa760

SHA256
829900980af2e98d1a167a39e58ad74a173d534886d4bd946e04c2bc707ad5e0

SHA512
d5893b2f5de7b062392a84d27d8761ad92bd7c5566876b569c4ad85ef092cda5daadac12d368ec8339e6e125021b5fb3b962219c94ccc62143745442ccd99236

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
500983b0c3b7e0e6ab2f1458f95bb89d

SHA1
4be40b320a6bdd8fd8f9864b8662e88c2357dc76

SHA256
a5bfdda2c11bffedb757eed8177ac028953784b691670a7e0ca9f16fe7696d8b

SHA512
1ff09e98de815ae6f9df68d409466142cccd84bf87e657196e23306fa84c9fbe1701fdc3624f485145b41eddb9cd67da4b17fed40cefbfdb3d42c690b3591349

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
545db2850652bd3a55d63ee72e4766ea

SHA1
13219506e7da4ee94f316dcc9a1729da1c5700f6

SHA256
bfb59a2ef7d3228f2d0a54cdc0ade362fdf14b636d6d28d2276702a72ecdfd1b

SHA512
23800d14582eb1f6112bc76ec6de9777c50ed95eda53b40019f5c0507ee642eeeba40ed97b69217363f54e3c5eb8a4c31d03be18c32f9d6dde947f277a07612c

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
a6984110ea0f6513787fc1475edd8906

SHA1
feba8619568f600e340beb8e3b90e58f675c7f8b

SHA256
5edc8e15fb5b38bea1b9ff7a67aa0ee6681de481045fa1d84dcab868a3d3b45e

SHA512
928eaade26cde1bf1f7de35db375ee9e820af085e03b8eaabcd7e621ab08fddb4913e0fcac2161fef2c587b028f18b37b237e83023225c2e44d9f9bf0735d230

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
2c4630a1b0f5a5cf5cbbb4ef6334cce3

SHA1
83c69739a151651b0488eab80025d0b410146d8a

SHA256
d9fba7d504c16a5f1e916f48eb95474ece1bf75a4dda6970a2f29ea5ad8a72f3

SHA512
97f6697b11444840bd1de04ca0f9065e9711b077a87263341c7a678635b5292e4515cc29828c0007d33903e2e606145a45f1a4ccb31e54fe06e2bb09567d2307

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
155bbe3b61e51c412548986094fd4307

SHA1
0776786c14f98a1b18b84fd1a6d4ead926be4abb

SHA256
298cbfe4325828c67de61f1570e401038712330028bf004b107d261484849fe0

SHA512
54ead9876a24f37ecb45e2d8c7d8cb80217d7e54ac9c882bb148b71f5c53f4f9daeac1307cc048b087592d8ba7855d9e5c498f65c94295a2da5aef1c52e227ba

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
d0d3a5b0f66e2e61268bf00ed0a1eebb

SHA1
ccc7d8bb9219510e543afc24223f57a3ed719c97

SHA256
fe38d8722e820cfa0fdc16a04a8467a0fe7425b512c9ba3452696c467b4243fb

SHA512
ee6dd84e180e14fe97ecaf430e8d142c9b1c5c50c9d713998ef911c31412c27b5e29d30d7ce3220e1ae25ab9e3417169cc51d77310bfb78b132f3a3fece783c5

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
8ef38c593f327b4fc4d9d41ea57ad3d2

SHA1
923f83ea68cec9bfce0fcb05927792878c45295b

SHA256
f5ba2c595bd4eaaccf8088d5c29f567561d0e165dfefddb611e58d4b46bd592a

SHA512
ec74749f1498b7038398a5ce9a64d6c321e3cace1f1ef763d6c467da30930202b2a5f5104c03661a260d7973e477e0a9d934920fa4aa6f735ebc64c963e2e883

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
b79b4296df7e7220851b93098d86185b

SHA1
c83c4245ae9b79270212f04ec2d8aab5b7aa218a

SHA256
56535b754c534429cbdf82afc4ceba6215a4ab5a6d1a58e0adac39182c892bcc

SHA512
58d1102252298de5f4426eb4bf41fae255d0e386f32b10fb8db5fecaf56751069a64662f35c7ae7e66f54e6a4932721c48a2671655910161fa96486a4890bdd9

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
d77dc4baf754750a45e37b490777c63c

SHA1
92add29a31d1139d58d09c2adeb12f348b5657c4

SHA256
6cb906d8e997b7c3781eb30f29e08873688486cb7931c3a8c029a2ac58faddda

SHA512
e6f3b7c1c87f31ec6676f15537eb45cad3dc49dde3f40e420dcf68d2d547ee58574b78a418e845bdb040092ad8d1c8407154e48d8222e81d29177dc96516761d

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
cf8f42f8e7955ff3871db246f579888b

SHA1
05aa311fa7f1549ed5c5bb57c0301d6a471b1497

SHA256
9f815f84834ed2fb3a5f024449e6421a40f7b30f52faada734e95d1df4274ddb

SHA512
75a438fbad6c227fe4f81380941ffe494d865b7c55423a8d42d2993db76b63a2a9ca1828371d531a0273b1563d374839f4403c831d5f16280f0314a4dc4dda55

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
192KB

MD5
a662e1010fe4ea3e5a900b331f318c7d

SHA1
759b586ab77425d338d6598a0ce5744ab91d671d

SHA256
c6c65b5d5084b21a6b2b311cf65855f22ff26f84a6734491a5895f499ce834ed

SHA512
d72266152241bf7db076367d2c5b7191278acc8bc1c5e1fe8dc671bf1dcc6c5920f4d4854a37572dfbbf35a7c397aa05add364e95e803833f2044fe52949c3ed

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
a3316123994a260ace297aa527e98900

SHA1
f6b7aa4c893adf632f499e3794394ca06d0018b0

SHA256
11ec486ac6c68f3d665c778253e5479cb4140287df962f0fe5954e4e33820492

SHA512
8d1f5ac5111ddd5b402a29d7964f6bdbaf95f2d73aa90e8ea68c2490331fa44d8a2881dbbc8deaaa56802b01d15a647d3174357771eaf9e990b327fe01f9b2bf

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
00feffa6485b1acdfa1114cfa3436b1e

SHA1
9cb395828fab94c4d237bf77d336730bc5d591d8

SHA256
1a7d3e79706cb28d93e8c7d58aba485598454f7a1e05776feb78859b2b04434c

SHA512
a40915c9fed7709b3110f215481932348e112e41ccfb50b465960e66efac8c7a6e483b2f0f876f14c0d179bfeb35638bd1582afa624641b2f6a4bede5a84ad17

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
353KB

MD5
adb68b1c2dbb234a5280695379c2099f

SHA1
f70523803d2ce77e5dc08b34602183acc026c120

SHA256
33d68ed17b36a7c89c56940d06f1b3550fe6ea89b6b8541a2936de41dc42a80b

SHA512
0cb67b0decaf23eb43eaf022f40b1deec677ca3401caf0cf5318b61a2768b3df5281b1bcbeb1e579669236ac12b6e50dbdefba5583363bd467c647c41f7b40db

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
354KB

MD5
d2d4940fc6a1674412ba866c32d6cd2b

SHA1
2c557cba5e74a6121192396c0467897f12382556

SHA256
891e83ec966f7e83c41f2a5f9a0aeabf8dc21722f730c04b88984bcdfd3d76b8

SHA512
185b2265788684668378f4b8579c9d8bdbd0dc31e213d87d63a9b6cb7d6965a5f61dbab176b5604df2d001c1cc5b918d5581a023128a31bd8f54261ac9fc010c

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
354KB

MD5
d2d4940fc6a1674412ba866c32d6cd2b

SHA1
2c557cba5e74a6121192396c0467897f12382556

SHA256
891e83ec966f7e83c41f2a5f9a0aeabf8dc21722f730c04b88984bcdfd3d76b8

SHA512
185b2265788684668378f4b8579c9d8bdbd0dc31e213d87d63a9b6cb7d6965a5f61dbab176b5604df2d001c1cc5b918d5581a023128a31bd8f54261ac9fc010c

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
354KB

MD5
4f0f879e0acdfa963eda7083125d3c1f

SHA1
a4323fee61491883b9146e52ece66f389e480e61

SHA256
ced2b2ed24357f0da35be81e70e73f8edb291a28fe2f6b8d107c20aa01c47cee

SHA512
54927261fbbfc0ac1d9961742b3add43e96d322359d01cfc6c14449f104491d344c6cfe54f4c3a2d8fd876f4366daf1682ab8f909bad975b095dab5754a7c36d

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
354KB

MD5
24ed5dce1af0f889a6b082b504244207

SHA1
8ceb6882d777565682de781a30f18ff25bec5aec

SHA256
a21e95eca8e3db4194c472e0bce6d07b518259a0ba7f23fa695f31f46fabe055

SHA512
9770b99e6a5bb1fab7d36925933c81d3c02529dbb48ea1c7b428b28201672f6fce3659797f3eb2ba9406dcf0a85abeafae5e69ce38dcd6903c22953b46240f24

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
354KB

MD5
3767f942c2670bd690b308dc0743323b

SHA1
69bb233a6e733ff021a8fdcd43761825fca83e6d

SHA256
4c872e97b93d29fde3da9615bd23258a96f14c1e28300c93375f73799fa5411b

SHA512
5568b1dcf9a163752118335f2fb546ab3f4be996a907787d06569187dde7e59b719dc6bf321c0d24348821580ce5668c7858017ebc58d495f9143e0819dbf1fd

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
354KB

MD5
a47abf2b0004ee17184cca6bd1f4264b

SHA1
5800f1a195b92041c8d88a92623bff943d56cfff

SHA256
f545ea83caeabd3079bf3d6d545e8f6b799a40d9ac5dc2c1a468b0af2135c9e6

SHA512
7e7e252a844807987329b2f5f3a67590f728bfca2abef98e5b147163f199f559c33cbb26da7409e53be382a7fd576ff081ff0c909b8fe8794f460ecd492ed0a1

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
354KB

MD5
a47abf2b0004ee17184cca6bd1f4264b

SHA1
5800f1a195b92041c8d88a92623bff943d56cfff

SHA256
f545ea83caeabd3079bf3d6d545e8f6b799a40d9ac5dc2c1a468b0af2135c9e6

SHA512
7e7e252a844807987329b2f5f3a67590f728bfca2abef98e5b147163f199f559c33cbb26da7409e53be382a7fd576ff081ff0c909b8fe8794f460ecd492ed0a1

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
354KB

MD5
55449d04b67a34f22955232f1af5f848

SHA1
8cfb39d0c66298fa00ee2001fb7638d0ab255c51

SHA256
56863da06fb66469e1460d8c622af9d280ae987eab9e97a21f15de1a1f5f420c

SHA512
cf18161c885392eb940eda03c8e9c21b33ceea093f500abe09e7ac9c03ce19c4fdc05a203530ae4973889abd64247229a9658fd7bfa4b223f73f0e3897da7ae2

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
354KB

MD5
e6d988111ceb67859323e92443eed21a

SHA1
aaaca3660f6c12230d180b20399c783349e10a06

SHA256
99f083a418eb512bd187b9faaf6dd5ae9f1fcc4f6453965ffe0a80ac24809d76

SHA512
2de3c59715a02e06c39e42544805895e6e9f724363b7dbf96ecb3182e15b38304886051777236d6f4c9a4e5fc473a5d7172d8e43a02a9ec38d093754d7e735d8

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
354KB

MD5
2e2b3d96120017b4ae69e528a9216ca7

SHA1
fa0a8e0551476bdaaa85081d9014f2fc493c374b

SHA256
0226594ac05774f92bc05bd9e39142cbeb368128b9d1c901680b93c786e35702

SHA512
0605536afe6ff5e3a28bd5cedc12b5b17a206d3dc91499436dbfafd109a6dd582e766eaf5298426f4a90bd1e1871f87d532159183bf390999dd017de4bc1fc2f

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
354KB

MD5
c044ad5860179a756416b19748fc5a75

SHA1
68ac103af8236aa2d6ad41fe640857af210f59d0

SHA256
cecdb13600ea8380e326051083653f5ab2aab67d49884669717b6bc9e5ad957b

SHA512
ddf6ecaa4f84162519709597b21678e39c00606140da674dc13f6307410196b32e112566aab73dec3f2bed7fd1ff21fae150268a5e3f782909f8b7ac873b99a3

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
354KB

MD5
2e2b3d96120017b4ae69e528a9216ca7

SHA1
fa0a8e0551476bdaaa85081d9014f2fc493c374b

SHA256
0226594ac05774f92bc05bd9e39142cbeb368128b9d1c901680b93c786e35702

SHA512
0605536afe6ff5e3a28bd5cedc12b5b17a206d3dc91499436dbfafd109a6dd582e766eaf5298426f4a90bd1e1871f87d532159183bf390999dd017de4bc1fc2f

Download Submit
C:\Windows\System32\waitfor.exe

Filesize
354KB

MD5
2e2b3d96120017b4ae69e528a9216ca7

SHA1
fa0a8e0551476bdaaa85081d9014f2fc493c374b

SHA256
0226594ac05774f92bc05bd9e39142cbeb368128b9d1c901680b93c786e35702

SHA512
0605536afe6ff5e3a28bd5cedc12b5b17a206d3dc91499436dbfafd109a6dd582e766eaf5298426f4a90bd1e1871f87d532159183bf390999dd017de4bc1fc2f

Download Submit
memory/2548-0-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/2548-1-0x0000000000C00000-0x0000000000C28000-memory.dmp

Filesize
160KB

Download
memory/2548-2-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/2548-3-0x000000001B860000-0x000000001B8E0000-memory.dmp

Filesize
512KB

Download
memory/2548-4-0x000000001B860000-0x000000001B8E0000-memory.dmp

Filesize
512KB

Download
memory/2548-3543-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download