bf47a9013b280af8b576de1276c15f0f25f82c5af0076d6ff758ec3c7690cb5d

Analysis

max time kernel
138s
max time network
127s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14-10-2023 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.aa2353c29dd63a1f7b873929baff9690.exe
Size

441KB
MD5

aa2353c29dd63a1f7b873929baff9690
SHA1

28e69e15df7f0a03cc91222f0377449d50131a72
SHA256

bf47a9013b280af8b576de1276c15f0f25f82c5af0076d6ff758ec3c7690cb5d
SHA512

c9997c5428e4938611740a72d2343f9398f89976297c9fcc4e506c76a429d35064b9a8feab3fdc188547caac84e17bad55df86755019e1df1253be41feda057b
SSDEEP

6144:/pW2bgbbV28okoS1oWMkdlZQ5iioc+nBkl7x87t6Qq3AClQZy:/pW2IoioS6D/OZy

Score

10^/10

discovery evasion exploit persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables Task Manager via registry modification
evasion

Possible privilege escalation attempt 64 IoCs

exploit

pid	Process
2724	icacls.exe
3680	takeown.exe
3848	takeown.exe
4504	takeown.exe
2492	icacls.exe
2684	takeown.exe
1096	icacls.exe
2972	takeown.exe
1492	takeown.exe
3624	icacls.exe
2752	icacls.exe
1084	takeown.exe
2924	icacls.exe
3140	takeown.exe
2948	icacls.exe
2472	icacls.exe
320	icacls.exe
3052	takeown.exe
1676	icacls.exe
1784	icacls.exe
4108	icacls.exe
1372	icacls.exe
3260	icacls.exe
2188	icacls.exe
3592	icacls.exe
4748	icacls.exe
2328	icacls.exe
3752	takeown.exe
2664	icacls.exe
2844	icacls.exe
2712	takeown.exe
2276	icacls.exe
908	icacls.exe
4132	takeown.exe
2896	icacls.exe
3904	takeown.exe
2940	takeown.exe
4164	icacls.exe
4576	takeown.exe
1716	takeown.exe
1404	takeown.exe
3896	icacls.exe
4520	takeown.exe
2960	takeown.exe
4596	icacls.exe
4700	icacls.exe
3364	takeown.exe
1628	takeown.exe
2876	takeown.exe
984	takeown.exe
1068	takeown.exe
2520	icacls.exe
2284	icacls.exe
1820	takeown.exe
4628	icacls.exe
1660	icacls.exe
2148	icacls.exe
2028	icacls.exe
3172	icacls.exe
4316	icacls.exe
1976	takeown.exe
2856	icacls.exe
4716	icacls.exe
324	icacls.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4432	icacls.exe
4628	icacls.exe
1716	takeown.exe
2492	icacls.exe
2184	takeown.exe
4380	icacls.exe
1828	icacls.exe
1232	icacls.exe
2152	takeown.exe
3340	takeown.exe
2892	takeown.exe
2576	icacls.exe
4252	takeown.exe
4512	icacls.exe
1660	icacls.exe
1392	takeown.exe
784	icacls.exe
3784	takeown.exe
2808	takeown.exe
1992	takeown.exe
1300	takeown.exe
3928	icacls.exe
2940	takeown.exe
4268	icacls.exe
1096	icacls.exe
3752	takeown.exe
3848	takeown.exe
2528	takeown.exe
2924	icacls.exe
4220	takeown.exe
1976	takeown.exe
1364	icacls.exe
1420	takeown.exe
744	icacls.exe
1048	icacls.exe
2760	icacls.exe
4504	takeown.exe
2472	icacls.exe
688	takeown.exe
3616	takeown.exe
3776	icacls.exe
1676	icacls.exe
3276	takeown.exe
1980	icacls.exe
1176	takeown.exe
1244	takeown.exe
2132	icacls.exe
2960	takeown.exe
872	icacls.exe
2280	takeown.exe
4412	icacls.exe
2724	icacls.exe
3140	takeown.exe
3184	takeown.exe
4748	icacls.exe
888	takeown.exe
1084	takeown.exe
2712	takeown.exe
2516	icacls.exe
2700	takeown.exe
1580	icacls.exe
4108	icacls.exe
4700	icacls.exe
2328	icacls.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.aa2353c29dd63a1f7b873929baff9690.exe BATCF %1"	NEAS.aa2353c29dd63a1f7b873929baff9690.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\tabcal.exe	NEAS.aa2353c29dd63a1f7b873929baff9690.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 13 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.aa2353c29dd63a1f7b873929baff9690.exe NTPAD %1"	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.aa2353c29dd63a1f7b873929baff9690.exe NTPAD %1"	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\icofile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.aa2353c29dd63a1f7b873929baff9690.exe JPGIF %1"	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.aa2353c29dd63a1f7b873929baff9690.exe NTPAD %1"	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.aa2353c29dd63a1f7b873929baff9690.exe CMDSF %1"	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.aa2353c29dd63a1f7b873929baff9690.exe HTMWF %1"	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.aa2353c29dd63a1f7b873929baff9690.exe NTPAD %1"	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.aa2353c29dd63a1f7b873929baff9690.exe JPGIF %1"	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.aa2353c29dd63a1f7b873929baff9690.exe VBSSF %1"	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.aa2353c29dd63a1f7b873929baff9690.exe RTFDF %1"	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.aa2353c29dd63a1f7b873929baff9690.exe BATCF %1"	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.aa2353c29dd63a1f7b873929baff9690.exe JPGIF %1"	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.aa2353c29dd63a1f7b873929baff9690.exe JPGIF %1"	NEAS.aa2353c29dd63a1f7b873929baff9690.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2996	reg.exe
3012	reg.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe
Token: SeTakeOwnershipPrivilege	2808	takeown.exe
Token: SeTakeOwnershipPrivilege	1996	takeown.exe
Token: SeTakeOwnershipPrivilege	2836	takeown.exe
Token: SeTakeOwnershipPrivilege	1428	takeown.exe
Token: SeTakeOwnershipPrivilege	1244	takeown.exe
Token: SeTakeOwnershipPrivilege	2908	takeown.exe
Token: SeTakeOwnershipPrivilege	1716	takeown.exe
Token: SeTakeOwnershipPrivilege	796	takeown.exe
Token: SeTakeOwnershipPrivilege	1708	takeown.exe
Token: SeTakeOwnershipPrivilege	1772	takeown.exe
Token: SeTakeOwnershipPrivilege	2972	takeown.exe
Token: SeTakeOwnershipPrivilege	1392	takeown.exe
Token: SeTakeOwnershipPrivilege	1456	takeown.exe
Token: SeTakeOwnershipPrivilege	2332	takeown.exe
Token: SeTakeOwnershipPrivilege	1976	takeown.exe
Token: SeTakeOwnershipPrivilege	580	takeown.exe
Token: SeTakeOwnershipPrivilege	1748	takeown.exe
Token: SeTakeOwnershipPrivilege	1156	takeown.exe
Token: SeTakeOwnershipPrivilege	2700	takeown.exe
Token: SeTakeOwnershipPrivilege	2960	takeown.exe
Token: SeTakeOwnershipPrivilege	2992	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2996	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	28
PID 2220 wrote to memory of 2996	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	28
PID 2220 wrote to memory of 2996	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	28
PID 2220 wrote to memory of 3012	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	29
PID 2220 wrote to memory of 3012	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	29
PID 2220 wrote to memory of 3012	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	29
PID 2220 wrote to memory of 2808	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	34
PID 2220 wrote to memory of 2808	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	34
PID 2220 wrote to memory of 2808	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	34
PID 2220 wrote to memory of 2844	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	36
PID 2220 wrote to memory of 2844	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	36
PID 2220 wrote to memory of 2844	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	36
PID 2220 wrote to memory of 2836	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	39
PID 2220 wrote to memory of 2836	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	39
PID 2220 wrote to memory of 2836	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	39
PID 2220 wrote to memory of 324	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	38
PID 2220 wrote to memory of 324	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	38
PID 2220 wrote to memory of 324	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	38
PID 2220 wrote to memory of 2908	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	40
PID 2220 wrote to memory of 2908	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	40
PID 2220 wrote to memory of 2908	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	40
PID 2220 wrote to memory of 2896	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	42
PID 2220 wrote to memory of 2896	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	42
PID 2220 wrote to memory of 2896	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	42
PID 2220 wrote to memory of 796	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	44
PID 2220 wrote to memory of 796	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	44
PID 2220 wrote to memory of 796	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	44
PID 2220 wrote to memory of 1364	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	81
PID 2220 wrote to memory of 1364	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	81
PID 2220 wrote to memory of 1364	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	81
PID 2220 wrote to memory of 1456	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	80
PID 2220 wrote to memory of 1456	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	80
PID 2220 wrote to memory of 1456	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	80
PID 2220 wrote to memory of 1460	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	79
PID 2220 wrote to memory of 1460	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	79
PID 2220 wrote to memory of 1460	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	79
PID 2220 wrote to memory of 580	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	78
PID 2220 wrote to memory of 580	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	78
PID 2220 wrote to memory of 580	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	78
PID 2220 wrote to memory of 1236	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	74
PID 2220 wrote to memory of 1236	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	74
PID 2220 wrote to memory of 1236	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	74
PID 2220 wrote to memory of 1428	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	73
PID 2220 wrote to memory of 1428	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	73
PID 2220 wrote to memory of 1428	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	73
PID 2220 wrote to memory of 1368	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	72
PID 2220 wrote to memory of 1368	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	72
PID 2220 wrote to memory of 1368	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	72
PID 2220 wrote to memory of 1392	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	71
PID 2220 wrote to memory of 1392	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	71
PID 2220 wrote to memory of 1392	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	71
PID 2220 wrote to memory of 1768	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	70
PID 2220 wrote to memory of 1768	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	70
PID 2220 wrote to memory of 1768	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	70
PID 2220 wrote to memory of 1996	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	69
PID 2220 wrote to memory of 1996	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	69
PID 2220 wrote to memory of 1996	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	69
PID 2220 wrote to memory of 1900	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	68
PID 2220 wrote to memory of 1900	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	68
PID 2220 wrote to memory of 1900	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	68
PID 2220 wrote to memory of 1772	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	67
PID 2220 wrote to memory of 1772	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	67
PID 2220 wrote to memory of 1772	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	67
PID 2220 wrote to memory of 1828	2220	NEAS.aa2353c29dd63a1f7b873929baff9690.exe	66

C:\Users\Admin\AppData\Local\Temp\NEAS.aa2353c29dd63a1f7b873929baff9690.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.aa2353c29dd63a1f7b873929baff9690.exe"
1⤵
- Modifies system executable filetype association
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2996
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:3012
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\bfsvc.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2808
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\bfsvc.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2844
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\HelpPane.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:324
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\HelpPane.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\hh.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2908
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\hh.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2896
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\splwow64.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:796
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\SysWOW64\msinfo32.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1748
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\provlaunch.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2968
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\SysWOW64\provlaunch.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1244
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mavinject.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2320
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\SysWOW64\mavinject.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1976
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\gpscript.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2328
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\SysWOW64\gpscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\rrinstaller.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2868
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\SysWOW64\rrinstaller.exe"
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:2972
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\logagent.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1660
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\SysWOW64\logagent.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2332
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\CameraSettingsUIHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1276
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\SysWOW64\CameraSettingsUIHost.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1708
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdchange.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:1828
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\SysWOW64\sdchange.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\quickassist.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1900
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\SysWOW64\quickassist.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1996
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msra.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1768
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\SysWOW64\msra.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1392
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\raserver.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1368
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1428
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\write.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1236
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\write.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:580
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\winhlp32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1460
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\winhlp32.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1456
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\splwow64.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:1364
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msinfo32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:280
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\SysWOW64\runas.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1156
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\runas.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2016
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\SysWOW64\mstsc.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mstsc.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2720
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\SysWOW64\sdiagnhost.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdiagnhost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2620
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2492
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:1068
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Modifies file permissions
  PID:888
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:732
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:872
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:1472
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1812
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:2452
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:1404
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:1372
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:320
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2092
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:2080
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Modifies file permissions
  PID:1420
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1084
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2076
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:1232
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1148
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:3052
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2856
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1676
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:1216
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2472
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:2408
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2296
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:1280
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:2420
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:2104
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2804
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:1608
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2084
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:2952
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1308
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Modifies file permissions
  PID:1176
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1320
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:2640
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:2616
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:1580
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:2944
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:2716
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:1048
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2656
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2740
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2712
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2464
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:2828
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2276
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:2684
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2728
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:2776
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:2560
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2520
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2572
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:984
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2820
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:1884
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2148
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Modifies file permissions
  PID:2184
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1968
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:2812
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:744
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:1592
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:908
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Modifies file permissions
  PID:688
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Modifies file permissions
  PID:1992
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1664
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:816
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2284
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:312
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:3048
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:976
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3044
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:1628
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2188
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:2120
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Modifies file permissions
  PID:2152
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:684
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1096
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2924
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:1572
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:1784
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Modifies file permissions
  PID:1300
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2432
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:1492
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:1740
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2028
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1724
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:1544
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:1756
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2724
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2612
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:616
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:784
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:1568
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2516
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:2800
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:2624
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3140
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3152
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:3164
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:3172
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Modifies file permissions
  PID:3184
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3192
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:3224
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3236
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:3252
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:3260
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Modifies file permissions
  PID:3276
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3288
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:3300
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3332
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Modifies file permissions
  PID:3340
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3352
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:3364
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3380
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:3636
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:3680
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3688
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3652
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:3624
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Modifies file permissions
  PID:3616
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3752
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3728
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:3708
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3608
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:3776
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:3600
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:3592
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:3584
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Modifies file permissions
  PID:3784
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3800
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:3824
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3832
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:3896
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:3888
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:3904
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3860
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:3928
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:3940
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3848
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4076
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Modifies file permissions
  PID:2280
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:1980
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Modifies file permissions
  PID:2892
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2132
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2752
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Modifies file permissions
  PID:2528
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:2396
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3660
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2760
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2940
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:3552
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2948
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:3736
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2576
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:3532
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2664
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:1820
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3528
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:2876
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4108
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:4164
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:4132
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:4180
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4196
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Modifies file permissions
  PID:4220
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4236
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Modifies file permissions
  PID:4252
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:4268
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:4296
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:4316
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:4340
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:4372
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:4380
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:4392
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:4412
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:4424
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4352
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:4464
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:4432
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4472
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4504
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:4512
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:4520
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4544
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:4552
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4568
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:4576
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:4596
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:4612
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4628
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4652
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:4644
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:4692
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4700
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:4708
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:4716
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S GPFFWLPI /U Admin /F "C:\Windows\System32\tabcal.exe"
  2⤵
  PID:4736
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\tabcal.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HGu2oGgL61O.exe

Filesize
441KB

MD5
3b59f2be763db9781ac51fde27c90807

SHA1
7b54dc288261c9a8807e4ef4da12b95f0ab553b3

SHA256
3b780be763164c6160204217c55f2f32c875313bfb528cf50528f796024cdb16

SHA512
ca14d08d986fb07e03ba21fa122dd39554112b006179b00e3db7494f10377f1ea7438df5d2b66f131a09ebbdb7a08717bd4eff92c265eb2d410fbba49cd53b7f

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
441KB

MD5
4ead3cc1be94b0e4aaa482208328f4b4

SHA1
295cfaf3244ca92fb83f37c2be8aa859dfebe7cb

SHA256
68eba9e3cab01ac899d20174eb61c0dd428775fa141179388562b6cf98044e7f

SHA512
79d6a5daf8dc580642a447a1bba9bf587b266854e271134f942b7fa94b65f01d67801bb20942966748e6513876aeb1877e49000d414012eee86ca4bdd6cc0843

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
441KB

MD5
9d6dd7f15f1c4680afc034097236ebdb

SHA1
65a9e34469273283fc1937167da9142879e0568d

SHA256
747c8a4827b8bfa5584d7666f6607cf9dcead734d703b7dbff10de2185602ad6

SHA512
25c8eda290b772b0923d87c9cd409eca61fe4dcf3e8722a9e339c3aba9062d610d0aeb013080d61fbd72380c643499fd811bd7a6fd5c0010c3a13b3c4fb8c756

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
441KB

MD5
5c538b82e8db220ba32833aa28e73c60

SHA1
d567bf57a0fa2e0e2314396ea384874e829e4841

SHA256
69f75c70e9f97c3c453a7a9b7f0cdb608401d93c84e03c3cc12dee794027b432

SHA512
e1f6211b76f4089cde4c51d3533cba74263da854d871241711004529aa23e111f02b88b2011285bccdc606322cf3ba09867abcdeb4ef886509d1881ad291ab53

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
441KB

MD5
164f924018edd36e68b3a299091a24f2

SHA1
ade37cb350ee91743e3e04db83cf6f42551128cc

SHA256
b5e269a2a1d580dc098701b370d81b44278862bb096606c0a2e96b2fcc4be3f8

SHA512
a76f4b56e0981b9e786252182f23652b0eb2ebafb4c87786ad59683c910ef67d58c533d845c531611f9cfafc34bddbc7bbf0c3c3dec45004060965ce4869a17d

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
441KB

MD5
e05523429889d664f04a369af7ec79b8

SHA1
9310a244f8aa613c2c43264938086b839341392d

SHA256
c92582ea8bcfd050fb7cfce36c7b5eaf844504855a8c7539fecc937a5c58bd61

SHA512
853512f91d19424f1e390bb9306f4770c19829ca947714fcedbd3a1f3bfec655ef6075fc04aa06884baa1e56eed73fdc857735f89d8a2a13824d54e93b58f38b

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
441KB

MD5
2f3d7f05cb6375082645eaa895f44002

SHA1
79f0cbe8e624365f93bb6ce0890286d4eecd9772

SHA256
475035e88f12b8ae4a1e3c510e8d6dc02ab50129f70a90b25de2d59543190eec

SHA512
b1451e2e92f5f55b0aba4bf4d3a54a5e68f4068296457d6ff1dba659fad8e4d1da29ababa418a002efa87bd45f0b9294a9971964a7a6514ca55fc9627689fcdf

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
441KB

MD5
d5007c253f828fb6a36f71f2c7f31768

SHA1
6336662fd780d2aabcb5fa02c0a805249966263e

SHA256
e8943ffe552f58eede3ee8faa3c861e9fce83555ccd76ea79911dc6b7adc1d47

SHA512
1936298ac62d539f5a8e7d25fb5a6b5a5033db29da6f892406ddef7d704ace72486d966bdd4c5d0f8ff051d8728d1a36fd9ed783505b72f046c2d662bae40172

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
441KB

MD5
d5007c253f828fb6a36f71f2c7f31768

SHA1
6336662fd780d2aabcb5fa02c0a805249966263e

SHA256
e8943ffe552f58eede3ee8faa3c861e9fce83555ccd76ea79911dc6b7adc1d47

SHA512
1936298ac62d539f5a8e7d25fb5a6b5a5033db29da6f892406ddef7d704ace72486d966bdd4c5d0f8ff051d8728d1a36fd9ed783505b72f046c2d662bae40172

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
441KB

MD5
d395e920afc12803a6e1f7fb675457e5

SHA1
a6c29c4fcb7b2ba546ed5af4b4a3b830e2c7ef3f

SHA256
8bacaf32d705b86e90654aeeec9dabd0af75c653dbded73242ed8c274ca8671d

SHA512
003145c76f8f726e1cb18092e3bcb134fd09588fae9a90902b404535b88c0ecf9853735e4a696a6f7b959ee709ffa71d221349f03e4f95f5fd2e8d11dc1808cf

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
441KB

MD5
38c0d2868581b046e358bcdcd496392b

SHA1
130171ce515c7a58d8d111e7445dfdfa697dbf9d

SHA256
db725a4478ec5248d351b8c46f24ba586fea6a189597db22a381312c25df4996

SHA512
c9225a88c26b8e4cc7ff5813bb09d18d7504fa86aa5c1d38764e616f7e5eb124c9a723b62a474e60186e9f32e03972246808ad63aaa237ca536427e0792160cf

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
441KB

MD5
46d0739226e18466485245ba9ccbe29c

SHA1
5e06a64e34ee4191caf8563412df83ec8282bcc9

SHA256
f1044715067aa9e314ba2e366d6374b4ab25acaf3454d98b162a417f7519372a

SHA512
b965857c5b3e5b0385f7e823d037fa7ca7e234046a067de042dc38f42d5a4b3978fb43bc11dfd51fd30337de4e75d47110bcc033ce0ba3d0ce459e3917ccca81

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
441KB

MD5
294a770a6dfa03afd35ac728a9e2fca7

SHA1
a26c330cb4da49f9ff4171f454829c61ba7a8f86

SHA256
5a41761985952d235dcb2a1f86a4f033fdcfc1ad13a1c4423199c4ef4fd43e79

SHA512
0513a995c964863e40680c2c8c2a2f7f1f7b7ec364498a53ca47e7089d288f0d4fd50f66c229cf9a712e8556da6f0475f34e6d3a903f13a2ee2f15af53cf01bc

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
441KB

MD5
3ba6f230b86037b6c5716609adbfcb11

SHA1
dfb74217a959f13af02ecff6226985c9a2d90891

SHA256
e9413092aebf96373cbdae42d54cba6eb90ea82b57ab2dda42253380ea59f162

SHA512
8a6dbaf335ce87c4ff34f45d5996a45baf3ac63e833c95bef3d6f4322364a22ef7c2ca9fd882688bc53cb7bc495d1e449304c1e084ecb60874ba44504b973009

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
441KB

MD5
2562b5f500fbf3e6a1873a28304796bd

SHA1
b21ff8b976da8943ce223362ecc934c3310b0c8a

SHA256
eade92e9ec7678d136b9a5ed0190ae0115e852886ccd1b156d2cc1bf5a85e934

SHA512
36f0095c97049262045c35daec92509cfade82e1606e4384b8fc1152de770da3f06a58da4d1d8314a844ba360e126591b218da9c771c1fe46bbb89f0882f47df

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
441KB

MD5
51951961348f62b195f7abfc0b9f1148

SHA1
9ee755ecc28c24e12f28c14c469db319f3b5b59c

SHA256
5dfdec603db42cb3c05a904be3abb16f604a772a90bc32ef02a307631b9b295c

SHA512
8add702a54f3759c22f44b3dcda1ba4b114dcfa91c29692680131231f966b1a368474cfe6da928e0ba36c06a86ab61da4ee57c58d6be856dab1d51a883522322

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
441KB

MD5
f5d79c16007904d1ee521a87027839b1

SHA1
307b2d2030574a7c1aaf114106f56ec07b034859

SHA256
ab0a11f536bcc281ce199fa42e36507dab2be54b3aef49a1c7006b4d681fb66e

SHA512
f2fc52d74a834190819a18a9395d807b9abf5e1a6e31963921c99b239985d968a3b9ffaff84e73f0cec553be824147e8376ad37157e82f9f978ef73fca6ce945

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
441KB

MD5
6ae898f24d431b700d9c0d066b81996d

SHA1
64760e83266b42147ad4d4a1ad67887ac18408c6

SHA256
d49c87584deda71e11e5669b57fc1aaa9cc0244f9a75371cd708c44e554d7f14

SHA512
caeef499136297a27c0c896f53b06cd91b7db5d25e0def8b73b6cb99622159c9fdcb795dccf3afdaeb06327b3fd19643abc4b90a96cb582511257169b6f1acb1

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
441KB

MD5
6ae898f24d431b700d9c0d066b81996d

SHA1
64760e83266b42147ad4d4a1ad67887ac18408c6

SHA256
d49c87584deda71e11e5669b57fc1aaa9cc0244f9a75371cd708c44e554d7f14

SHA512
caeef499136297a27c0c896f53b06cd91b7db5d25e0def8b73b6cb99622159c9fdcb795dccf3afdaeb06327b3fd19643abc4b90a96cb582511257169b6f1acb1

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
441KB

MD5
aa569382a963023c84c82f83372e0a2b

SHA1
cdee601f7839169657869ac432e9816dc45f2597

SHA256
8b1f09b767e286ec596db24a2c9ada0b639d7d93b6b8cac36c8d44891f780fda

SHA512
6e6580c82a87a6329ba606afbb81a46d68e2d027ccca43760e245cedeab447ae0170963794e4809fb2894adfa7495f289aa2dffd051ae48422fdcd714e733883

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
441KB

MD5
bcff73e09479ff49a3cc84c3d618186e

SHA1
a7b5d2c291c9b4cc43ca9ed76a36f5fa1ee6ccce

SHA256
1c722001b89457c0f92b873c34ad98b5f10bcc47504e0319da589f6daab4c291

SHA512
8862edd0487dac2f6637408d65cc9da41be66bc4783f216ecf4e0fc56556fe8042f137756732eab6d98d7a193bb0f06996805ae29aa89b2134122ec54ddcdeaf

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
441KB

MD5
78232bc27a6a4df2bca29af1ccee3959

SHA1
b47171f116e56ce5876fadfa7913fcfab710b30f

SHA256
28cb36184044e7a2ef136601354af8a400952eed90edc1016fe4523e9f79f58a

SHA512
00dafafbe2f711e417a0f9af67fe14890696bd053c50add50a848dae0f7b8bf08603c14f4bb8f0bb7194cacd9c1316f22962105ba007f95eaefea001400dc027

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
441KB

MD5
fc3e0cec435df439a82a2a0c147363ef

SHA1
81a210db4c37b816c8325c007ea9095dcba164f6

SHA256
04e66395bf6d05988e43a6855c928d9c000259b0219fe5208744783867163cf7

SHA512
63bde7b9942846d464b8d7b42cf5d02a6b510ebf20b599a67afff4b7a6c738cb0fcf0c2bd820ed2343a800cc2ca504eb1bfe7137bc7f04fb5e0daf214885a6cf

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
441KB

MD5
fa28296b9ed1062638a63ff22246c4f6

SHA1
1f7ee4f8324848fed8fd512683728cc5010707a0

SHA256
30ccb0810e5c29b8134ac596bcf61eace5e15cbedd97fab30b2717803e7fbf4b

SHA512
9d87625f13132a7a22488fa81a51bd75857331bdab6cbdd50a52abaa3d655478a0c4837e23832aa273d94a91edc03c03d340ecd7254f7e0724581781b5b481f8

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
441KB

MD5
6e398060e43b5808f01c14dbd9de6ea4

SHA1
794d09bd2a6d5b69a92f87388a6251a1a24ed5b6

SHA256
e4c2af441a27abac7ef444dc6c6185c274173f2543877f2d49c9ab112915e7fc

SHA512
8b061dfcf3278be32aad9c6149ed3e78622b322f48497e555f3a689cdac0044ee9a418e144ac2a64aeb2d26ebf833788b7be522c428e5539e4bb42b097351ce4

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
441KB

MD5
326a6dd8d2f246ffd33e7f2a3df5adb5

SHA1
ffa3d63a33874f9384ad1756ba9bf4e8d8c4dfb1

SHA256
5766f8687390109c19d9cd9851fa4f63b409b09dbe0a7037774a45f659ddb11b

SHA512
79703083a3e5fc83c8cb697c26395c4139e6b4c349a5b39ec22bfdfd143df14cc90328c629c8caceb35e4f857d10bcc1f6bc931cb38a4dca5fc6b22d687c10f1

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
441KB

MD5
326a6dd8d2f246ffd33e7f2a3df5adb5

SHA1
ffa3d63a33874f9384ad1756ba9bf4e8d8c4dfb1

SHA256
5766f8687390109c19d9cd9851fa4f63b409b09dbe0a7037774a45f659ddb11b

SHA512
79703083a3e5fc83c8cb697c26395c4139e6b4c349a5b39ec22bfdfd143df14cc90328c629c8caceb35e4f857d10bcc1f6bc931cb38a4dca5fc6b22d687c10f1

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
441KB

MD5
ca0fae75cf1a9390541fdc5ef1ee388e

SHA1
0a4ff41da10f75e1a541f73b5c74c73c05fa8383

SHA256
2be7776f22cbde76525b8b6ad45e8fc6ae16cd37fdca39971d034140d705c917

SHA512
d8a90bb0fb51212178d025f53d451818957d97af8834bafbec44858efe24d9b14304fe59dbccfb9bbe87b3d80f1a4c9a2844adfb36f719c48adc81876ad127b7

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
441KB

MD5
81542977651333ad7c1643ad4ef44a0a

SHA1
408db9c3808f76d742206485b66c464c9ee9b818

SHA256
86ff774d7ddf0dac04c6c9651a1a212cc7fbfa89feb5a743f2891deca3228e86

SHA512
cd8e5a08c61e10140ba52040b9e19848b3468d8584f46ddc5b6f925ee9291a970019eb6e3369758c3495f9d2e73296ffa351f8cf66f2108bcca67e0c81da7c20

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
441KB

MD5
c0a1adc52f9e375d9b03e0c0ade0bb85

SHA1
bfc65f9de77edacdf52e188d428187fc2eb89345

SHA256
40a8078902af4ab3d5ee981024685942d33528ea7dbd6ff0c9d91eb4bb59ebe0

SHA512
12ac19140a6c3e45cebf68ee13ee04a9d56c8e100e06f01d036bc89103839e89c671ce6d2e30ba8e14069ddbced74fd2ad88c3e7f828f6fd2e8af41869442e86

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
441KB

MD5
5186c1bd95a308ffcfb7e006abc6b267

SHA1
42577bc784e1437089dba6ad3e1508d159eeb37a

SHA256
1838e251a623c371426e62d05a4d5013b0ae04fee79b95526f22a5a0db168d50

SHA512
6a9a3a90e8ba0f1f862f6a090271be31744c5339f5b96f5a36fe5bd496f4dfe14a3a063daa67ddc3d50866babb248c0c269cd1d96ce03d6a6f03e69b47d3dbd5

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
441KB

MD5
05d99d61dc1625d06faabec4b36a5816

SHA1
1b2f8027e045731a47f0dcb5a55a82cd1f25e587

SHA256
a9af61ddc460e0e30dbf6e7c1c91389283b1907219ffcd4776b125d7f85e0684

SHA512
add23e0b6e6891b26be701392ce5a8ae09a11d5906732307ccdf926a0c546960564b534bf2e795018359747b22da612249956e2db93c1273d2740779cd315790

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
441KB

MD5
980a8e683485f3ff57e70cc7d2c7944a

SHA1
f48d1a87311a532aabdd52a04e7e67c19c554d0b

SHA256
f57d07985d28684e872b941c87c42a779c364d47f415a042a960348225696447

SHA512
fd64d540cf618e6fd7ed743dd008f49507eb28d1bdccaf20f7fa47aa5a3ffff1d06b2ace21948d64e03a45a9e01fdf3f659f46562ea6f5b4356517739e488533

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
441KB

MD5
1d0e75c61eebbf84fa31b52cfcff16b6

SHA1
b1380e69b7495ace302027384cf456c8817f0f2e

SHA256
71ef90560760e376712b54d79465e1b8e45a57fa566b1bce5ba055396d470ea5

SHA512
ec470105a8852419baf80614a306dbe4931ab1cf18c73475e47a42e7e02b5540f062b7b7edda3d42ff863cfb76e3b4c7138ddd8043adb3e31eaa5ed244cb8ba6

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
442KB

MD5
2e7f9483e729dd1aee35cf2a06dd4286

SHA1
d11f860d98aca90a583ba189b365e815e801567b

SHA256
bf7284ed567054c3453d59257bf8e52b17b7ea3beda482b9a8115c927b86dd56

SHA512
d10a3cb19093f6e4e6d5191da7da08fa229b31d5712b21eb60c530d3e0bde8fcec3e535d1523ea83854f1df42bc2065056a917a5b8be5d816cd96060e7e56b5f

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
442KB

MD5
2abb937d348992aaab80328b26df12fa

SHA1
9f1c2c54c29ab602a7639d2b65b53abc6d93ed5d

SHA256
79ff8004da502d89c142cda3e8516a5dc50ba1942582dc032f4f167cc2b14677

SHA512
862a968bd0db08fb95e17a193a0a433a0403db275bc8a000c5a0accc6afe0df768b02233341fc47ad802d38b518cb607f0a84e7df73857a12402c1b8ea2036fc

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
442KB

MD5
36ba81c15a90952e36fac7caae55a605

SHA1
cf2bad2a47aa3836a3d9871dc99ca368cda92cad

SHA256
533f94e81c9b0d35e729c094a9baea1d4d72399e68937c5ea02a40a0abe15304

SHA512
ee439fe46473e09ef9d0614edab8bd22a72b2a87978b119f842d3cfbde6ed1e7af87f0f4e76a46bea186129bd5a4ea6dc4334b181ec5a527ec13775540be058e

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
64KB

MD5
83cba40e6aea8cb582a53c8b772a0413

SHA1
da36f9bd8290c62c4e0dcc5d503d74618759979f

SHA256
f485d1c36ef4591406816740d211d5297bb569ce597b085419364cf469bf57de

SHA512
bee5e7340563b3e8f8954fbe4ac95b082e72a83ddbda0b42e2ea0cf0092979105da24c04ae79f283abba5cc0b39aa6d47b31431aff3ac3c869509cfc1d9dbd00

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
442KB

MD5
f82e6d07604a1d8dbb2a2147beba0b0c

SHA1
dc534ef66183df0e027307ea80bfb58cb9fb8c1e

SHA256
dae1134c4ce25d4cdcf77bb49785b247a3d6644861e91bc10522c729eabe11dd

SHA512
55264513361c74b4d7be51fd5a6ee0fc6a0ba75a3daf6f5458098fcacb5d38255abcea04b22bd5eeb5777f06ff042bb4ba716e8a5f3a36a60e887b6ba9871bea

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
442KB

MD5
0da544096a3f7bea50160921eec4bf4d

SHA1
f7af7120d03c0079b7da232d82ca43bbb7a24c10

SHA256
8aa1289f58b1534037636ac287fb0fd0a28eea4fd0be65528b2b671b162d5c18

SHA512
f46093695fd844da3e4ca43a4f9f344b0acafb9b431b10bb5ccc01928907b78cced49a4041f63da7c4f47a44efdda703b89a3c631c800e7d7ee6aaf0dd81ca62

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
442KB

MD5
e96ae54c5d050c402d33cbfc2dcf00ff

SHA1
825db879f0c9466511a151d0cf2b8a6f0c362365

SHA256
5b22bc7b9f5c23c0f15d122febaba76623e1cb9909e4fb18f5f038798404d873

SHA512
2f9bd1a7d824fd745673f9eaa60eed016da80352d422d5d15710dcd23f4babd6c0a8d17dac0af14c619ad19bbcf044b8e19e09e99c90156b8deaf1b41e55445c

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
442KB

MD5
6ccd7e303153ccc64bffef101775fcd8

SHA1
0d95a6fe951872b565f7b2c8e92a2b203cf77e59

SHA256
1697e724177d01369f0f26b6e91b90ad103719a61e7a24612d52bbde2d214e5d

SHA512
89981509359304cef81ae3686d150c6e656387a27453c20a25344bf4fa1ed44aec63965b1278a3e366df6e465d83d2dfc17aafd08d1765f9f54e8f78cf7c2789

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
442KB

MD5
6ccd7e303153ccc64bffef101775fcd8

SHA1
0d95a6fe951872b565f7b2c8e92a2b203cf77e59

SHA256
1697e724177d01369f0f26b6e91b90ad103719a61e7a24612d52bbde2d214e5d

SHA512
89981509359304cef81ae3686d150c6e656387a27453c20a25344bf4fa1ed44aec63965b1278a3e366df6e465d83d2dfc17aafd08d1765f9f54e8f78cf7c2789

Download Submit
C:\Windows\System32\tabcal.exe

Filesize
442KB

MD5
6ccd7e303153ccc64bffef101775fcd8

SHA1
0d95a6fe951872b565f7b2c8e92a2b203cf77e59

SHA256
1697e724177d01369f0f26b6e91b90ad103719a61e7a24612d52bbde2d214e5d

SHA512
89981509359304cef81ae3686d150c6e656387a27453c20a25344bf4fa1ed44aec63965b1278a3e366df6e465d83d2dfc17aafd08d1765f9f54e8f78cf7c2789

Download Submit
memory/2220-445-0x000007FEF5A80000-0x000007FEF646C000-memory.dmp

Filesize
9.9MB

Download
memory/2220-2-0x000000001B1A0000-0x000000001B220000-memory.dmp

Filesize
512KB

Download
memory/2220-1-0x000007FEF5A80000-0x000007FEF646C000-memory.dmp

Filesize
9.9MB

Download
memory/2220-0-0x0000000001270000-0x0000000001298000-memory.dmp

Filesize
160KB

Download