hxxp://bonzify[.]exe

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components	INSTALLER.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components	INSTALLER.exe

Possible privilege escalation attempt 64 IoCs

exploit

pid	Process
2148	takeown.exe
4612	takeown.exe
220	takeown.exe
3700	icacls.exe
4368	takeown.exe
4116	takeown.exe
5856	icacls.exe
4796	takeown.exe
6000	icacls.exe
1728	takeown.exe
5448	icacls.exe
3512	takeown.exe
1908	icacls.exe
3820	takeown.exe
412	takeown.exe
384	icacls.exe
4408	takeown.exe
4576	icacls.exe
4960	icacls.exe
3672	takeown.exe
612	icacls.exe
4440	icacls.exe
2652	takeown.exe
5676	icacls.exe
3288	icacls.exe
5432	takeown.exe
4556	takeown.exe
1104	icacls.exe
2016	takeown.exe
5392	icacls.exe
4424	takeown.exe
3088	takeown.exe
2788	takeown.exe
1692	icacls.exe
5368	icacls.exe
1156	takeown.exe
1144	icacls.exe
1100	takeown.exe
2112	takeown.exe
1096	icacls.exe
2728	icacls.exe
3984	icacls.exe
3820	icacls.exe
2400	icacls.exe
3204	takeown.exe
5880	takeown.exe
5376	icacls.exe
4828	takeown.exe
2788	takeown.exe
4788	icacls.exe
3920	takeown.exe
3920	icacls.exe
3128	takeown.exe
832	takeown.exe
2196	takeown.exe
4956	icacls.exe
4876	icacls.exe
5708	takeown.exe
3492	takeown.exe
900	takeown.exe
5112	takeown.exe
5968	takeown.exe
2400	takeown.exe
4576	takeown.exe

Executes dropped EXE 5 IoCs

pid	Process
788	Bonzify.exe
6080	INSTALLER.exe
4920	AgentSvr.exe
5032	INSTALLER.exe
536	AgentSvr.exe

Loads dropped DLL 16 IoCs

pid	Process
6080	INSTALLER.exe
5676	regsvr32.exe
5596	regsvr32.exe
5520	regsvr32.exe
4128	regsvr32.exe
4968	regsvr32.exe
4612	regsvr32.exe
2680	regsvr32.exe
5032	INSTALLER.exe
2344	regsvr32.exe
2344	regsvr32.exe
3504	regsvr32.exe
788	Bonzify.exe
536	AgentSvr.exe
536	AgentSvr.exe
536	AgentSvr.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1156	takeown.exe
1096	takeown.exe
1556	takeown.exe
5284	takeown.exe
5452	takeown.exe
3708	icacls.exe
4112	icacls.exe
4372	takeown.exe
2488	takeown.exe
3216	takeown.exe
3608	icacls.exe
4424	takeown.exe
4412	takeown.exe
3592	icacls.exe
4212	takeown.exe
5220	icacls.exe
1104	takeown.exe
6004	icacls.exe
5328	takeown.exe
900	takeown.exe
2396	icacls.exe
3608	takeown.exe
5860	icacls.exe
5468	takeown.exe
5924	takeown.exe
612	icacls.exe
5256	takeown.exe
4820	takeown.exe
5764	icacls.exe
1100	takeown.exe
620	icacls.exe
6072	icacls.exe
5232	takeown.exe
5780	takeown.exe
2044	icacls.exe
3812	takeown.exe
4368	takeown.exe
2136	icacls.exe
5328	icacls.exe
4828	takeown.exe
4408	takeown.exe
1692	icacls.exe
5744	icacls.exe
1508	icacls.exe
1728	takeown.exe
3108	takeown.exe
4176	takeown.exe
3392	icacls.exe
5964	icacls.exe
5440	icacls.exe
1096	icacls.exe
2520	icacls.exe
6088	takeown.exe
6056	icacls.exe
1356	icacls.exe
3028	takeown.exe
4664	icacls.exe
4264	icacls.exe
5112	takeown.exe
4356	takeown.exe
1192	takeown.exe
2112	icacls.exe
6080	icacls.exe
1688	takeown.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet"	INSTALLER.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
125	raw.githubusercontent.com
126	raw.githubusercontent.com

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SET4745.tmp	INSTALLER.exe
File created	C:\Windows\SysWOW64\SET4745.tmp	INSTALLER.exe
File opened for modification	C:\Windows\SysWOW64\msvcp50.dll	INSTALLER.exe

Drops file in Windows directory 56 IoCs

description	ioc	Process
File opened for modification	C:\Windows\msagent\SET41E6.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SET41E4.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentAnm.dll	INSTALLER.exe
File created	C:\Windows\lhsp\tv\SET4741.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\help\SET4742.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SET41D4.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SET41FA.tmp	INSTALLER.exe
File created	C:\Windows\fonts\SET4743.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SET41FA.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\SET4741.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SET41E4.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SET421C.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SET41D2.tmp	INSTALLER.exe
File opened for modification	C:\Windows\INF\SET4744.tmp	INSTALLER.exe
File created	C:\Windows\executables.bin	Bonzify.exe
File opened for modification	C:\Windows\msagent\AgentSvr.exe	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentMPx.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentPsh.dll	INSTALLER.exe
File created	C:\Windows\msagent\intl\SET420C.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\tv_enua.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentDp2.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentSR.dll	INSTALLER.exe
File created	C:\Windows\help\SET41FB.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\SET4740.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SET41E5.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SET41E7.tmp	INSTALLER.exe
File created	C:\Windows\lhsp\help\SET4742.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SET41D2.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentCtl.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\mslwvtts.dll	INSTALLER.exe
File opened for modification	C:\Windows\help\SET41FB.tmp	INSTALLER.exe
File opened for modification	C:\Windows\help\Agt0409.hlp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SET421C.tmp	INSTALLER.exe
File created	C:\Windows\msagent\chars\Bonzi.acs	Bonzify.exe
File created	C:\Windows\msagent\SET41D3.tmp	INSTALLER.exe
File opened for modification	C:\Windows\fonts\SET4743.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SET41E7.tmp	INSTALLER.exe
File created	C:\Windows\INF\SET41F9.tmp	INSTALLER.exe
File created	C:\Windows\INF\SET4744.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SET41D4.tmp	INSTALLER.exe
File opened for modification	C:\Windows\INF\agtinst.inf	INSTALLER.exe
File opened for modification	C:\Windows\msagent\intl\SET420C.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\intl\Agt0409.dll	INSTALLER.exe
File created	C:\Windows\lhsp\tv\SET4740.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\help\tv_enua.hlp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SET41E5.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgtCtl15.tlb	INSTALLER.exe
File opened for modification	C:\Windows\INF\tv_enua.inf	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SET41D3.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SET41E6.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SET41F8.tmp	INSTALLER.exe
File opened for modification	C:\Windows\INF\SET41F9.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentDPv.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SET41F8.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\tvenuax.dll	INSTALLER.exe
File opened for modification	C:\Windows\fonts\andmoipa.ttf	INSTALLER.exe

Checks SCSI registry key(s) 3 TTPs 36 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3756	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}\1.5\0\win32	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BD1-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BD4-7DE6-11D0-91FE-00C04FD701A5}\ = "_AgentEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4BAC124B-78C8-11D1-B9A8-00C04FD97575}\InprocServer32\ = "C:\\Windows\\msagent\\AgentMPx.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C8B-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00D18159-8466-11D0-AC63-00C04FD97575}\ProxyStubClsid32	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D6589123-FC70-11D0-AC94-00C04FD97575}	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C85-7B81-11D0-AC5F-00C04FD97575}	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BA90C00-3910-11D1-ACB3-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C89-7B81-11D0-AC5F-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0913410-3B44-11D1-ACBA-00C04FD97575}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31D-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BA90C00-3910-11D1-ACB3-00C04FD97575}\ = "IAgentCommandsEx"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BDF-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C80-7B81-11D0-AC5F-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BD9-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BD3-7DE6-11D0-91FE-00C04FD701A5}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BE1-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93CA0-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C8D-7B81-11D0-AC5F-00C04FD97575}\TypeLib\Version = "2.0"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08C75162-3C9C-11D1-91FE-00C04FD701A5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C8D-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE8EF600-2F82-11D1-ACAC-00C04FD97575}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE8EF600-2F82-11D1-ACAC-00C04FD97575}\ = "IAgentCtlCharacterEx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8563FF20-8ECC-11D1-B9B4-00C04FD97575}\ = "IAgentCtlEx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48D12BA0-5B77-11D1-9EC1-00C04FD7081F}\TypeLib\Version = "2.0"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00D18159-8466-11D0-AC63-00C04FD97575}\TypeLib	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}\2.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D0ECB27-9968-11D0-AC6E-00C04FD97575}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00D18159-8466-11D0-AC63-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08C75162-3C9C-11D1-91FE-00C04FD701A5}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D6589123-FC70-11D0-AC94-00C04FD97575}\2.0\HELPDIR	AgentSvr.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C80-7B81-11D0-AC5F-00C04FD97575}\TypeLib\Version = "2.0"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C8F-7B81-11D0-AC5F-00C04FD97575}\TypeLib\Version = "2.0"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\ProgID\ = "Agent.Control.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0913410-3B44-11D1-ACBA-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95A893C3-543A-11D0-AC45-00C04FD97575}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0913412-3B44-11D1-ACBA-00C04FD97575}\TypeLib	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BA90C00-3910-11D1-ACB3-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B8F2846E-CE36-11D0-AC83-00C04FD97575}\InprocServer32\ = "C:\\Windows\\lhsp\\tv\\tvenuax.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Control.2	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BE1-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\Version = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8563FF20-8ECC-11D1-B9B4-00C04FD97575}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Server	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C80-7B81-11D0-AC5F-00C04FD97575}\TypeLib	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C83-7B81-11D0-AC5F-00C04FD97575}\ = "IAgentCommand"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C85-7B81-11D0-AC5F-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Control.2\CLSID\ = "{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\MiscStatus	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\MiscStatus	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0913410-3B44-11D1-ACBA-00C04FD97575}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{98BBE491-2EED-11D1-ACAC-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0913412-3B44-11D1-ACBA-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D7A6D440-8872-11D1-9EC6-00C04FD7081F}\TypeLib	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BDD-7DE6-11D0-91FE-00C04FD701A5}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BD4-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Server.2	AgentSvr.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BD1-7DE6-11D0-91FE-00C04FD701A5}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D7A6D440-8872-11D1-9EC6-00C04FD7081F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BF0-7DE6-11D0-91FE-00C04FD701A5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C8F-7B81-11D0-AC5F-00C04FD97575}\ = "IAgentCharacter"	AgentSvr.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 631289.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2708	msedge.exe
2708	msedge.exe
3588	msedge.exe
3588	msedge.exe
3180	identity_helper.exe
3180	identity_helper.exe
5804	msedge.exe
5804	msedge.exe
4812	msedge.exe
4812	msedge.exe
788	Bonzify.exe
788	Bonzify.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3756	taskkill.exe
Token: SeTakeOwnershipPrivilege	5544	takeown.exe
Token: SeTakeOwnershipPrivilege	3264	takeown.exe
Token: SeTakeOwnershipPrivilege	1580	takeown.exe
Token: SeTakeOwnershipPrivilege	3028	takeown.exe
Token: SeTakeOwnershipPrivilege	4576	takeown.exe
Token: SeTakeOwnershipPrivilege	5880	takeown.exe
Token: SeTakeOwnershipPrivilege	3472	takeown.exe
Token: SeTakeOwnershipPrivilege	2788	takeown.exe
Token: SeTakeOwnershipPrivilege	3372	takeown.exe
Token: SeTakeOwnershipPrivilege	1156	takeown.exe
Token: SeTakeOwnershipPrivilege	6084	takeown.exe
Token: 33	536	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	536	AgentSvr.exe
Token: SeTakeOwnershipPrivilege	5824	takeown.exe
Token: SeTakeOwnershipPrivilege	5720	takeown.exe
Token: SeTakeOwnershipPrivilege	5416	takeown.exe
Token: SeTakeOwnershipPrivilege	5556	takeown.exe
Token: SeTakeOwnershipPrivilege	1632	takeown.exe
Token: SeTakeOwnershipPrivilege	5696	takeown.exe
Token: SeTakeOwnershipPrivilege	2848	takeown.exe
Token: SeTakeOwnershipPrivilege	4916	takeown.exe
Token: SeTakeOwnershipPrivilege	1688	takeown.exe
Token: 33	5152	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5152	AUDIODG.EXE
Token: SeTakeOwnershipPrivilege	4612	takeown.exe
Token: SeTakeOwnershipPrivilege	3528	takeown.exe
Token: SeTakeOwnershipPrivilege	4724	takeown.exe
Token: SeTakeOwnershipPrivilege	4388	takeown.exe
Token: SeTakeOwnershipPrivilege	116	takeown.exe
Token: SeTakeOwnershipPrivilege	5232	takeown.exe
Token: SeTakeOwnershipPrivilege	2548	takeown.exe
Token: SeTakeOwnershipPrivilege	4392	takeown.exe
Token: SeTakeOwnershipPrivilege	4200	takeown.exe
Token: SeTakeOwnershipPrivilege	4928	takeown.exe
Token: SeTakeOwnershipPrivilege	5260	takeown.exe
Token: SeTakeOwnershipPrivilege	6108	takeown.exe
Token: SeTakeOwnershipPrivilege	1300	takeown.exe
Token: SeTakeOwnershipPrivilege	3504	takeown.exe
Token: SeTakeOwnershipPrivilege	1576	takeown.exe
Token: SeTakeOwnershipPrivilege	3128	takeown.exe
Token: SeTakeOwnershipPrivilege	5804	takeown.exe
Token: SeTakeOwnershipPrivilege	5524	takeown.exe
Token: SeTakeOwnershipPrivilege	5980	takeown.exe
Token: SeTakeOwnershipPrivilege	5484	takeown.exe
Token: SeTakeOwnershipPrivilege	2724	takeown.exe
Token: SeTakeOwnershipPrivilege	5396	takeown.exe
Token: SeTakeOwnershipPrivilege	5688	takeown.exe
Token: SeTakeOwnershipPrivilege	5708	takeown.exe
Token: SeTakeOwnershipPrivilege	1728	takeown.exe
Token: SeTakeOwnershipPrivilege	1688	takeown.exe
Token: SeTakeOwnershipPrivilege	2520	takeown.exe
Token: SeTakeOwnershipPrivilege	2680	takeown.exe
Token: SeTakeOwnershipPrivilege	4852	takeown.exe
Token: SeTakeOwnershipPrivilege	4424	takeown.exe
Token: SeTakeOwnershipPrivilege	5520	takeown.exe
Token: SeTakeOwnershipPrivilege	2940	takeown.exe
Token: SeTakeOwnershipPrivilege	5780	takeown.exe
Token: SeTakeOwnershipPrivilege	832	takeown.exe
Token: SeTakeOwnershipPrivilege	220	takeown.exe
Token: SeTakeOwnershipPrivilege	4004	takeown.exe
Token: SeTakeOwnershipPrivilege	4396	takeown.exe
Token: SeTakeOwnershipPrivilege	4212	takeown.exe
Token: SeTakeOwnershipPrivilege	1824	takeown.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe

Suspicious use of SendNotifyMessage 39 IoCs

pid	Process
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
536	AgentSvr.exe
536	AgentSvr.exe
5392	explorer.exe
5392	explorer.exe
5392	explorer.exe
5392	explorer.exe
5392	explorer.exe
5392	explorer.exe
5392	explorer.exe
5392	explorer.exe
5392	explorer.exe
5392	explorer.exe
5392	explorer.exe
5588	explorer.exe
5588	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
788	Bonzify.exe
6080	INSTALLER.exe
4920	AgentSvr.exe
5032	INSTALLER.exe
536	AgentSvr.exe
6000	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 4156	3588	msedge.exe	88
PID 3588 wrote to memory of 4156	3588	msedge.exe	88
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 4936	3588	msedge.exe	89
PID 3588 wrote to memory of 2708	3588	msedge.exe	90
PID 3588 wrote to memory of 2708	3588	msedge.exe	90
PID 3588 wrote to memory of 2252	3588	msedge.exe	91
PID 3588 wrote to memory of 2252	3588	msedge.exe	91
PID 3588 wrote to memory of 2252	3588	msedge.exe	91
PID 3588 wrote to memory of 2252	3588	msedge.exe	91
PID 3588 wrote to memory of 2252	3588	msedge.exe	91
PID 3588 wrote to memory of 2252	3588	msedge.exe	91
PID 3588 wrote to memory of 2252	3588	msedge.exe	91
PID 3588 wrote to memory of 2252	3588	msedge.exe	91
PID 3588 wrote to memory of 2252	3588	msedge.exe	91
PID 3588 wrote to memory of 2252	3588	msedge.exe	91
PID 3588 wrote to memory of 2252	3588	msedge.exe	91
PID 3588 wrote to memory of 2252	3588	msedge.exe	91
PID 3588 wrote to memory of 2252	3588	msedge.exe	91
PID 3588 wrote to memory of 2252	3588	msedge.exe	91
PID 3588 wrote to memory of 2252	3588	msedge.exe	91
PID 3588 wrote to memory of 2252	3588	msedge.exe	91
PID 3588 wrote to memory of 2252	3588	msedge.exe	91
PID 3588 wrote to memory of 2252	3588	msedge.exe	91
PID 3588 wrote to memory of 2252	3588	msedge.exe	91
PID 3588 wrote to memory of 2252	3588	msedge.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://bonzify.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa98c546f8,0x7ffa98c54708,0x7ffa98c54718
  2⤵
  PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1844,94712926474034401,1068784867214600710,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1844,94712926474034401,1068784867214600710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1844,94712926474034401,1068784867214600710,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
  2⤵
  PID:2252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,94712926474034401,1068784867214600710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,94712926474034401,1068784867214600710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:1276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,94712926474034401,1068784867214600710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4212 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,94712926474034401,1068784867214600710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,94712926474034401,1068784867214600710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,94712926474034401,1068784867214600710,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
  2⤵
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1844,94712926474034401,1068784867214600710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3976 /prefetch:8
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1844,94712926474034401,1068784867214600710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3976 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,94712926474034401,1068784867214600710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1
  2⤵
  PID:2700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,94712926474034401,1068784867214600710,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,94712926474034401,1068784867214600710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,94712926474034401,1068784867214600710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,94712926474034401,1068784867214600710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,94712926474034401,1068784867214600710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
  2⤵
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1844,94712926474034401,1068784867214600710,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6268 /prefetch:8
  2⤵
  PID:5796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1844,94712926474034401,1068784867214600710,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6240 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,94712926474034401,1068784867214600710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:5400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1844,94712926474034401,1068784867214600710,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6240 /prefetch:8
  2⤵
  PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,94712926474034401,1068784867214600710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
  2⤵
  PID:2300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1844,94712926474034401,1068784867214600710,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1848 /prefetch:8
  2⤵
  PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1844,94712926474034401,1068784867214600710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6060 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4812

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2344

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3700

C:\Users\Admin\Downloads\Bonzify.exe
"C:\Users\Admin\Downloads\Bonzify.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KillAgent.bat"
  2⤵
  PID:2976
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im AgentSvr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3756
- - C:\Windows\SysWOW64\takeown.exe
    takeown /r /d y /f C:\Windows\MsAgent
    3⤵
    PID:6036
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\MsAgent /c /t /grant "everyone":(f)
    3⤵
    PID:5324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe"
  2⤵
  PID:388
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5544
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:612
- C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
  INSTALLER.exe /q
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:6080
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\msagent\AgentCtl.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:5676
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\msagent\AgentDPv.dll"
    3⤵
    - Loads dropped DLL
    PID:5596
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\msagent\mslwvtts.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:5520
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\msagent\AgentDP2.dll"
    3⤵
    - Loads dropped DLL
    PID:4128
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\msagent\AgentMPx.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:4968
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\msagent\AgentSR.dll"
    3⤵
    - Loads dropped DLL
    PID:4612
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Windows\msagent\AgentPsh.dll"
    3⤵
    - Loads dropped DLL
    PID:2680
- - C:\Windows\msagent\AgentSvr.exe
    "C:\Windows\msagent\AgentSvr.exe" /regserver
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:4920
- - C:\Windows\SysWOW64\grpconv.exe
    grpconv.exe -o
    3⤵
    PID:4676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
  2⤵
  PID:536
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3264
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe" /grant "everyone":(f)
    3⤵
    PID:3984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe"
  2⤵
  PID:3664
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1580
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe" /grant "everyone":(f)
    3⤵
    PID:5668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
  2⤵
  PID:3548
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3028
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe" /grant "everyone":(f)
    3⤵
    PID:5592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe"
  2⤵
  PID:2192
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe"
    3⤵
    - Possible privilege escalation attempt
    - Suspicious use of AdjustPrivilegeToken
    PID:4576
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe" /grant "everyone":(f)
    3⤵
    PID:948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe"
  2⤵
  PID:1052
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe"
    3⤵
    - Possible privilege escalation attempt
    - Suspicious use of AdjustPrivilegeToken
    PID:5880
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:4664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:3216
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3472
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /grant "everyone":(f)
    3⤵
    PID:3820
- C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
  INSTALLER.exe /q
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:5032
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll
    3⤵
    - Loads dropped DLL
    PID:2344
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:3504
- - C:\Windows\SysWOW64\grpconv.exe
    grpconv.exe -o
    3⤵
    PID:5376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  PID:3108
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - Possible privilege escalation attempt
    - Suspicious use of AdjustPrivilegeToken
    PID:2788
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" /grant "everyone":(f)
    3⤵
    PID:6048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  PID:3128
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3372
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /grant "everyone":(f)
    3⤵
    PID:1108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe"
  2⤵
  PID:5804
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1156
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe" /grant "everyone":(f)
    3⤵
    PID:5248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe"
  2⤵
  PID:5812
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6084
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe" /grant "everyone":(f)
    3⤵
    PID:6060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe"
  2⤵
  PID:5980
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5824
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe" /grant "everyone":(f)
    3⤵
    PID:4104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"
  2⤵
  PID:5480
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5720
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:4440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe"
  2⤵
  PID:4808
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5416
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe" /grant "everyone":(f)
    3⤵
    PID:5924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe"
  2⤵
  PID:5540
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5556
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe" /grant "everyone":(f)
    3⤵
    PID:3100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe"
  2⤵
  PID:4788
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1632
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe" /grant "everyone":(f)
    3⤵
    PID:2244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe"
  2⤵
  PID:5020
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5696
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe"
  2⤵
  PID:2264
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2848
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:5744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe"
  2⤵
  PID:3284
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4916
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe" /grant "everyone":(f)
    3⤵
    PID:5576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe"
  2⤵
  PID:5004
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1688
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe" /grant "everyone":(f)
    3⤵
    PID:2196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe"
  2⤵
  PID:1960
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4612
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe" /grant "everyone":(f)
    3⤵
    PID:2488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe"
  2⤵
  PID:4952
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3528
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:3920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe"
  2⤵
  PID:2236
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4724
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:5856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe"
  2⤵
  PID:5752
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4388
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe" /grant "everyone":(f)
    3⤵
    PID:4484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"
  2⤵
  PID:5760
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:116
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe" /grant "everyone":(f)
    3⤵
    PID:3744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  PID:1964
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:5232
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" /grant "everyone":(f)
    3⤵
    PID:3860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe"
  2⤵
  PID:3472
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2548
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe" /grant "everyone":(f)
    3⤵
    PID:4936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:5864
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4392
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" /grant "everyone":(f)
    3⤵
    PID:384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
  2⤵
  PID:2496
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4200
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" /grant "everyone":(f)
    3⤵
    PID:3188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
  2⤵
  PID:1556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4928
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe" /grant "everyone":(f)
    3⤵
    PID:2160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  PID:5124
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5260
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" /grant "everyone":(f)
    3⤵
    PID:5272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"
  2⤵
  PID:3520
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6108
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe" /grant "everyone":(f)
    3⤵
    PID:6132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe"
  2⤵
  PID:5380
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1300
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe" /grant "everyone":(f)
    3⤵
    PID:2344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:1360
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3504
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe" /grant "everyone":(f)
    3⤵
    PID:612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  PID:4608
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1576
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" /grant "everyone":(f)
    3⤵
    PID:5976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe"
  2⤵
  PID:856
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe"
    3⤵
    - Possible privilege escalation attempt
    - Suspicious use of AdjustPrivilegeToken
    PID:3128
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe" /grant "everyone":(f)
    3⤵
    PID:5368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:456
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5804
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:6000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
  2⤵
  PID:5968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5524
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" /grant "everyone":(f)
    3⤵
    PID:3096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe"
  2⤵
  PID:5824
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5980
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:6004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe"
  2⤵
  PID:4580
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5484
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:5440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe"
  2⤵
  PID:1132
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2724
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:1508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:1188
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5396
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe" /grant "everyone":(f)
    3⤵
    PID:3540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:3080
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5688
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" /grant "everyone":(f)
    3⤵
    PID:4812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
  2⤵
  PID:5616
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
    3⤵
    - Possible privilege escalation attempt
    - Suspicious use of AdjustPrivilegeToken
    PID:5708
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" /grant "everyone":(f)
    3⤵
    PID:5668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe"
  2⤵
  PID:5672
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2848
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1728
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe" /grant "everyone":(f)
    3⤵
    PID:2980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2148
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1688
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" /grant "everyone":(f)
    3⤵
    PID:2196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"
  2⤵
  PID:2052
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2520
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe" /grant "everyone":(f)
    3⤵
    PID:4784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:1648
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2680
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" /grant "everyone":(f)
    3⤵
    PID:5880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
  2⤵
  PID:4180
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4852
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe" /grant "everyone":(f)
    3⤵
    PID:3988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:5860
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4424
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" /grant "everyone":(f)
    3⤵
    PID:5772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:3508
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5520
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" /grant "everyone":(f)
    3⤵
    PID:3812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"
  2⤵
  PID:3744
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2940
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe" /grant "everyone":(f)
    3⤵
    PID:548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"
  2⤵
  PID:3860
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:5780
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe" /grant "everyone":(f)
    3⤵
    PID:4752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2252
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - Possible privilege escalation attempt
    - Suspicious use of AdjustPrivilegeToken
    PID:832
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /grant "everyone":(f)
    3⤵
    PID:5392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe"
  2⤵
  PID:1732
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe"
    3⤵
    - Possible privilege escalation attempt
    - Suspicious use of AdjustPrivilegeToken
    PID:220
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe" /grant "everyone":(f)
    3⤵
    PID:6112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe"
  2⤵
  PID:2864
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4004
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe" /grant "everyone":(f)
    3⤵
    PID:2752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe"
  2⤵
  PID:5176
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4396
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe" /grant "everyone":(f)
    3⤵
    PID:4620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe"
  2⤵
  PID:1256
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4212
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:3700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe"
  2⤵
  PID:3200
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6132
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1824
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe" /grant "everyone":(f)
    3⤵
    PID:5784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe"
  2⤵
  PID:5340
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe"
    3⤵
    PID:5336
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:5448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe"
  2⤵
  PID:5724
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe"
    3⤵
    PID:6064
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe" /grant "everyone":(f)
    3⤵
    PID:4988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe"
  2⤵
  PID:1704
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5976
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:4796
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe" /grant "everyone":(f)
    3⤵
    PID:5776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe"
  2⤵
  PID:4780
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe"
    3⤵
    PID:5032
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:2396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"
  2⤵
  PID:4084
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"
    3⤵
    - Modifies file permissions
    PID:4412
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /grant "everyone":(f)
    3⤵
    PID:6060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe"
  2⤵
  PID:4356
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe"
    3⤵
    PID:5812
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe" /grant "everyone":(f)
    3⤵
    PID:1908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe"
  2⤵
  PID:5988
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe"
    3⤵
    - Modifies file permissions
    PID:4372
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe" /grant "everyone":(f)
    3⤵
    PID:412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe"
  2⤵
  PID:5452
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe"
    3⤵
    PID:5836
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe" /grant "everyone":(f)
    3⤵
    PID:5440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe"
  2⤵
  PID:5816
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4408
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe" /grant "everyone":(f)
    3⤵
    PID:2724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe"
  2⤵
  PID:2296
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe"
    3⤵
    PID:5828
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:4788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe"
  2⤵
  PID:3956
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe"
    3⤵
    PID:5688
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe" /grant "everyone":(f)
    3⤵
    PID:3848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe"
  2⤵
  PID:1152
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe"
    3⤵
    PID:396
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Ldr64.exe"
  2⤵
  PID:1728
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Ldr64.exe"
    3⤵
    PID:1580
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Ldr64.exe" /grant "everyone":(f)
    3⤵
    PID:5692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe"
  2⤵
  PID:4128
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:2148
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe" /grant "everyone":(f)
    3⤵
    PID:5584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe"
  2⤵
  PID:4216
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe"
    3⤵
    PID:4968
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe" /grant "everyone":(f)
    3⤵
    PID:1884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe"
  2⤵
  PID:5984
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe"
    3⤵
    PID:1064
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe" /grant "everyone":(f)
    3⤵
    PID:4952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe"
  2⤵
  PID:1052
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe"
    3⤵
    PID:4852
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe" /grant "everyone":(f)
    3⤵
    PID:6124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe"
  2⤵
  PID:5060
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe"
    3⤵
    PID:5860
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:2728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"
  2⤵
  PID:4564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"
    3⤵
    PID:3508
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /grant "everyone":(f)
    3⤵
    PID:5764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ComSvcConfig.exe"
  2⤵
  PID:4076
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ComSvcConfig.exe"
    3⤵
    PID:3488
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ComSvcConfig.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:4264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe"
  2⤵
  PID:2708
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe"
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe" /grant "everyone":(f)
    3⤵
    PID:836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe"
  2⤵
  PID:5372
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe"
    3⤵
    PID:4696
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe" /grant "everyone":(f)
    3⤵
    PID:3340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe"
  2⤵
  PID:2932
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4392
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe"
    3⤵
    PID:4112
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe" /grant "everyone":(f)
    3⤵
    PID:3300
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe"
  2⤵
  PID:2132
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe"
    3⤵
    PID:5308
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe" /grant "everyone":(f)
    3⤵
    PID:4488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe"
  2⤵
  PID:3420
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe"
    3⤵
    - Modifies file permissions
    PID:5256
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe" /grant "everyone":(f)
    3⤵
    PID:5280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe"
  2⤵
  PID:2788
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5124
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe"
    3⤵
    PID:3952
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe" /grant "everyone":(f)
    3⤵
    PID:112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe"
  2⤵
  PID:3836
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe"
    3⤵
    - Modifies file permissions
    PID:3108
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe" /grant "everyone":(f)
    3⤵
    PID:6072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe"
  2⤵
  PID:2584
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:3512
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:5376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe"
  2⤵
  PID:6136
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe"
    3⤵
    - Modifies file permissions
    PID:5328
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe" /grant "everyone":(f)
    3⤵
    PID:5140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe"
  2⤵
  PID:1704
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4608
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe"
    3⤵
    PID:5996
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe" /grant "everyone":(f)
    3⤵
    PID:1012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe"
  2⤵
  PID:4436
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe"
    3⤵
    PID:3264
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe" /grant "everyone":(f)
    3⤵
    PID:5788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe"
  2⤵
  PID:6052
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6000
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe"
    3⤵
    PID:2756
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe" /grant "everyone":(f)
    3⤵
    PID:5968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe"
  2⤵
  PID:4356
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5524
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe"
    3⤵
    PID:4512
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:3984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe"
  2⤵
  PID:5444
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe"
    3⤵
    - Modifies file permissions
    PID:5468
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe" /grant "everyone":(f)
    3⤵
    PID:5900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v3.5\WFServicesReg.exe"
  2⤵
  PID:5536
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v3.5\WFServicesReg.exe"
    3⤵
    PID:5840
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v3.5\WFServicesReg.exe" /grant "everyone":(f)
    3⤵
    PID:4208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
  2⤵
  PID:5092
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
    3⤵
    PID:6092
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe" /grant "everyone":(f)
    3⤵
    PID:3540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
  2⤵
  PID:5808
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:4528
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe" /grant "everyone":(f)
    3⤵
    PID:1048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
  2⤵
  PID:2228
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5688
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
    3⤵
    PID:5596
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe" /grant "everyone":(f)
    3⤵
    PID:5616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1152
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5708
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:3492
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe" /grant "everyone":(f)
    3⤵
    PID:2772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
  2⤵
  PID:1580
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:4720
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe" /grant "everyone":(f)
    3⤵
    PID:5004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
  2⤵
  PID:5660
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
    3⤵
    PID:5608
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:4576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
  2⤵
  PID:948
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4216
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
    3⤵
    PID:5880
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe" /grant "everyone":(f)
    3⤵
    PID:5512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
  2⤵
  PID:4856
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
    3⤵
    PID:3244
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe" /grant "everyone":(f)
    3⤵
    PID:3708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
  2⤵
  PID:4180
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3988
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:4424
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe" /grant "everyone":(f)
    3⤵
    PID:1776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:2236
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
    3⤵
    PID:5520
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe" /grant "everyone":(f)
    3⤵
    PID:4556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
  2⤵
  PID:2212
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
    3⤵
    PID:4840
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe" /grant "everyone":(f)
    3⤵
    PID:1320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
  2⤵
  PID:4864
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
    3⤵
    PID:548
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe" /grant "everyone":(f)
    3⤵
    PID:2300
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
  2⤵
  PID:3928
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:836
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
    3⤵
    PID:1092
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /grant "everyone":(f)
    3⤵
    PID:4504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
  2⤵
  PID:8
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
    3⤵
    PID:5212
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:5220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
  2⤵
  PID:4212
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
    3⤵
    - Modifies file permissions
    PID:3608
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe" /grant "everyone":(f)
    3⤵
    PID:3504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  PID:3556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
    3⤵
    PID:5244
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe" /grant "everyone":(f)
    3⤵
    PID:2912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
  2⤵
  PID:1536
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
    3⤵
    PID:616
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe" /grant "everyone":(f)
    3⤵
    PID:2396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
  2⤵
  PID:4412
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
    3⤵
    PID:4960
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe" /grant "everyone":(f)
    3⤵
    PID:704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:5452
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5900
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" /grant "everyone":(f)
    3⤵
    PID:3576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
  2⤵
  PID:368
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
    3⤵
    PID:5576
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe" /grant "everyone":(f)
    3⤵
    PID:5672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
  2⤵
  PID:4720
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5584
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
    3⤵
    - Modifies file permissions
    PID:4820
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:1144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
  2⤵
  PID:1276
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:3920
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" /grant "everyone":(f)
    3⤵
    PID:6124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
  2⤵
  PID:1052
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
    3⤵
    PID:4204
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe" /grant "everyone":(f)
    3⤵
    PID:2236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
  2⤵
  PID:4556
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:900
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" /grant "everyone":(f)
    3⤵
    PID:1320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
  2⤵
  PID:4564
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5764
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
    3⤵
    PID:4816
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe" /grant "everyone":(f)
    3⤵
    PID:4704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
  2⤵
  PID:3268
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5372
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe" /grant "everyone":(f)
    3⤵
    PID:1148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:428
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:3088
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe" /grant "everyone":(f)
    3⤵
    PID:5108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
  2⤵
  PID:5256
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
    3⤵
    PID:6036
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe" /grant "everyone":(f)
    3⤵
    PID:3608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
  2⤵
  PID:2132
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:2788
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe" /grant "everyone":(f)
    3⤵
    PID:3476
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
  2⤵
  PID:5208
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
    3⤵
    PID:4284
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /grant "everyone":(f)
    3⤵
    PID:1704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
  2⤵
  PID:3972
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
    3⤵
    PID:6084
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe" /grant "everyone":(f)
    3⤵
    PID:6056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\notepad.exe"
  2⤵
  PID:4540
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5812
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\notepad.exe"
    3⤵
    PID:3940
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\notepad.exe" /grant "everyone":(f)
    3⤵
    PID:5964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\PrintDialog\PrintDialog.exe"
  2⤵
  PID:4412
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6060
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\PrintDialog\PrintDialog.exe"
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\PrintDialog\PrintDialog.exe" /grant "everyone":(f)
    3⤵
    PID:5820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\regedit.exe"
  2⤵
  PID:2860
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2148
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\regedit.exe"
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\regedit.exe" /grant "everyone":(f)
    3⤵
    PID:2620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\TrustedInstaller.exe"
  2⤵
  PID:5664
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\servicing\TrustedInstaller.exe"
    3⤵
    PID:1064
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\servicing\TrustedInstaller.exe" /grant "everyone":(f)
    3⤵
    PID:3028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Speech\Common\sapisvr.exe"
  2⤵
  PID:5904
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\Speech\Common\sapisvr.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:4556
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Speech\Common\sapisvr.exe" /grant "everyone":(f)
    3⤵
    PID:1060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\splwow64.exe"
  2⤵
  PID:5372
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\splwow64.exe"
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\splwow64.exe" /grant "everyone":(f)
    3⤵
    PID:3820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\sysmon.exe"
  2⤵
  PID:2644
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\sysmon.exe"
    3⤵
    PID:3340
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\sysmon.exe" /grant "everyone":(f)
    3⤵
    PID:1368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\agentactivationruntimestarter.exe"
  2⤵
  PID:4532
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\agentactivationruntimestarter.exe"
    3⤵
    PID:3924
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\agentactivationruntimestarter.exe" /grant "everyone":(f)
    3⤵
    PID:4580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\appidtel.exe"
  2⤵
  PID:3644
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\appidtel.exe"
    3⤵
    PID:5632
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\appidtel.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:1104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ARP.EXE"
  2⤵
  PID:1768
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\ARP.EXE"
    3⤵
    - Modifies file permissions
    PID:5924
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\ARP.EXE" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:2044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\at.exe"
  2⤵
  PID:5680
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4436
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\at.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:2196
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\at.exe" /grant "everyone":(f)
    3⤵
    PID:4596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\AtBroker.exe"
  2⤵
  PID:2620
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\AtBroker.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:2652
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\AtBroker.exe" /grant "everyone":(f)
    3⤵
    PID:1144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\attrib.exe"
  2⤵
  PID:4776
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\attrib.exe"
    3⤵
    PID:5040
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\attrib.exe" /grant "everyone":(f)
    3⤵
    PID:5648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\auditpol.exe"
  2⤵
  PID:1168
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\auditpol.exe"
    3⤵
    PID:616
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\auditpol.exe" /grant "everyone":(f)
    3⤵
    PID:3716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\autochk.exe"
  2⤵
  PID:1096
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\autochk.exe"
    3⤵
    - Modifies file permissions
    PID:3812
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\autochk.exe" /grant "everyone":(f)
    3⤵
    PID:4204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\autoconv.exe"
  2⤵
  PID:5004
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\autoconv.exe"
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\autoconv.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:3820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\autofmt.exe"
  2⤵
  PID:3604
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\autofmt.exe"
    3⤵
    PID:5208
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\autofmt.exe" /grant "everyone":(f)
    3⤵
    PID:380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\backgroundTaskHost.exe"
  2⤵
  PID:2608
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\backgroundTaskHost.exe"
    3⤵
    PID:5424
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\backgroundTaskHost.exe" /grant "everyone":(f)
    3⤵
    PID:4532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\BackgroundTransferHost.exe"
  2⤵
  PID:4964
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\BackgroundTransferHost.exe"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5112
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\BackgroundTransferHost.exe" /grant "everyone":(f)
    3⤵
    PID:5688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\bitsadmin.exe"
  2⤵
  PID:2260
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\bitsadmin.exe"
    3⤵
    PID:1008
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\bitsadmin.exe" /grant "everyone":(f)
    3⤵
    PID:5084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\bootcfg.exe"
  2⤵
  PID:3660
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\bootcfg.exe"
    3⤵
    PID:1412
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\bootcfg.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:5764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\bthudtask.exe"
  2⤵
  PID:524
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\bthudtask.exe"
    3⤵
    PID:4084
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\bthudtask.exe" /grant "everyone":(f)
    3⤵
    PID:5680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ByteCodeGenerator.exe"
  2⤵
  PID:5184
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\ByteCodeGenerator.exe"
    3⤵
    PID:4592
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\ByteCodeGenerator.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:2520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cacls.exe"
  2⤵
  PID:2620
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\cacls.exe"
    3⤵
    PID:5280
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\cacls.exe" /grant "everyone":(f)
    3⤵
    PID:5040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\calc.exe"
  2⤵
  PID:3756
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\calc.exe"
    3⤵
    PID:856
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\calc.exe" /grant "everyone":(f)
    3⤵
    PID:5100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\CameraSettingsUIHost.exe"
  2⤵
  PID:616
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\CameraSettingsUIHost.exe"
    3⤵
    PID:5324
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\CameraSettingsUIHost.exe" /grant "everyone":(f)
    3⤵
    PID:4664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\CertEnrollCtrl.exe"
  2⤵
  PID:1048
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\CertEnrollCtrl.exe"
    3⤵
    PID:5800
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\CertEnrollCtrl.exe" /grant "everyone":(f)
    3⤵
    PID:4796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\certreq.exe"
  2⤵
  PID:1648
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\certreq.exe"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4368
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\certreq.exe" /grant "everyone":(f)
    3⤵
    PID:3244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\certutil.exe"
  2⤵
  PID:4948
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\certutil.exe"
    3⤵
    PID:5272
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\certutil.exe" /grant "everyone":(f)
    3⤵
    PID:2112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\charmap.exe"
  2⤵
  PID:1488
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\charmap.exe"
    3⤵
    PID:5848
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\charmap.exe" /grant "everyone":(f)
    3⤵
    PID:2524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\CheckNetIsolation.exe"
  2⤵
  PID:1188
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\CheckNetIsolation.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:1100
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\CheckNetIsolation.exe" /grant "everyone":(f)
    3⤵
    PID:3836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\chkdsk.exe"
  2⤵
  PID:4968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\chkdsk.exe"
    3⤵
    - Modifies file permissions
    PID:1096
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\chkdsk.exe" /grant "everyone":(f)
    3⤵
    PID:6124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\chkntfs.exe"
  2⤵
  PID:5804
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\chkntfs.exe"
    3⤵
    PID:6064
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\chkntfs.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:5328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\choice.exe"
  2⤵
  PID:5876
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\choice.exe"
    3⤵
    PID:3752
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\choice.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:4960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cipher.exe"
  2⤵
  PID:3376
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\cipher.exe"
    3⤵
    PID:3604
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\cipher.exe" /grant "everyone":(f)
    3⤵
    PID:4284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cleanmgr.exe"
  2⤵
  PID:5912
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\cleanmgr.exe"
    3⤵
    PID:2608
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\cleanmgr.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:5676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cliconfg.exe"
  2⤵
  PID:2848
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\cliconfg.exe"
    3⤵
    - Modifies file permissions
    PID:4356
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\cliconfg.exe" /grant "everyone":(f)
    3⤵
    PID:5852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\clip.exe"
  2⤵
  PID:6060
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\clip.exe"
    3⤵
    PID:3936
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\clip.exe" /grant "everyone":(f)
    3⤵
    PID:4152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\CloudNotifications.exe"
  2⤵
  PID:3640
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\CloudNotifications.exe"
    3⤵
    PID:4552
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\CloudNotifications.exe" /grant "everyone":(f)
    3⤵
    PID:5220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4472
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\cmd.exe"
    3⤵
    - Modifies file permissions
    PID:6088
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\cmd.exe" /grant "everyone":(f)
    3⤵
    PID:3052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cmdkey.exe"
  2⤵
  PID:3704
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\cmdkey.exe"
    3⤵
    PID:3500
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\cmdkey.exe" /grant "everyone":(f)
    3⤵
    PID:5624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cmdl32.exe"
  2⤵
  PID:3124
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\cmdl32.exe"
    3⤵
    PID:4708
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\cmdl32.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:2136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cmmon32.exe"
  2⤵
  PID:5896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\cmmon32.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:5968
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\cmmon32.exe" /grant "everyone":(f)
    3⤵
    PID:4784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cmstp.exe"
  2⤵
  PID:2008
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\cmstp.exe"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4828
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\cmstp.exe" /grant "everyone":(f)
    3⤵
    PID:112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\colorcpl.exe"
  2⤵
  PID:3680
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\colorcpl.exe"
    3⤵
    PID:3100
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\colorcpl.exe" /grant "everyone":(f)
    3⤵
    PID:5184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Com\comrepl.exe"
  2⤵
  PID:1152
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\Com\comrepl.exe"
    3⤵
    PID:4596
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\Com\comrepl.exe" /grant "everyone":(f)
    3⤵
    PID:6016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Com\MigRegDB.exe"
  2⤵
  PID:5560
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\Com\MigRegDB.exe"
    3⤵
    PID:5252
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\Com\MigRegDB.exe" /grant "everyone":(f)
    3⤵
    PID:856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\comp.exe"
  2⤵
  PID:3796
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\comp.exe"
    3⤵
    PID:3244
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\comp.exe" /grant "everyone":(f)
    3⤵
    PID:4048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\compact.exe"
  2⤵
  PID:4528
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\compact.exe"
    3⤵
    PID:3080
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\compact.exe" /grant "everyone":(f)
    3⤵
    PID:1300
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ComputerDefaults.exe"
  2⤵
  PID:1908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\ComputerDefaults.exe"
    3⤵
    PID:380
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\ComputerDefaults.exe" /grant "everyone":(f)
    3⤵
    PID:5596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\control.exe"
  2⤵
  PID:4216
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\control.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:3672
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\control.exe" /grant "everyone":(f)
    3⤵
    PID:4492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\convert.exe"
  2⤵
  PID:4124
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\convert.exe"
    3⤵
    PID:3340
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\convert.exe" /grant "everyone":(f)
    3⤵
    PID:3792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\CredentialUIBroker.exe"
  2⤵
  PID:6048
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\CredentialUIBroker.exe"
    3⤵
    PID:2148
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\CredentialUIBroker.exe" /grant "everyone":(f)
    3⤵
    PID:3500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\credwiz.exe"
  2⤵
  PID:5624
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\credwiz.exe"
    3⤵
    PID:4292
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\credwiz.exe" /grant "everyone":(f)
    3⤵
    PID:3956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cscript.exe"
  2⤵
  PID:2376
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\cscript.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:2016
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\cscript.exe" /grant "everyone":(f)
    3⤵
    PID:5988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ctfmon.exe"
  2⤵
  PID:4484
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\ctfmon.exe"
    3⤵
    PID:4828
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\ctfmon.exe" /grant "everyone":(f)
    3⤵
    PID:5432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cttune.exe"
  2⤵
  PID:3784
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\cttune.exe"
    3⤵
    PID:4144
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\cttune.exe" /grant "everyone":(f)
    3⤵
    PID:3456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cttunesvr.exe"
  2⤵
  PID:3004
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\cttunesvr.exe"
    3⤵
    PID:4592
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\cttunesvr.exe" /grant "everyone":(f)
    3⤵
    PID:4848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\curl.exe"
  2⤵
  PID:4820
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\curl.exe"
    3⤵
    PID:5168
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\curl.exe" /grant "everyone":(f)
    3⤵
    PID:3536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dccw.exe"
  2⤵
  PID:5304
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\dccw.exe"
    3⤵
    PID:740
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\dccw.exe" /grant "everyone":(f)
    3⤵
    PID:5272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dcomcnfg.exe"
  2⤵
  PID:5900
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\dcomcnfg.exe"
    3⤵
    PID:1256
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\dcomcnfg.exe" /grant "everyone":(f)
    3⤵
    PID:5872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ddodiag.exe"
  2⤵
  PID:5696
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\ddodiag.exe"
    3⤵
    PID:3856
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\ddodiag.exe" /grant "everyone":(f)
    3⤵
    PID:4436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\DevicePairingWizard.exe"
  2⤵
  PID:5292
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\DevicePairingWizard.exe"
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\DevicePairingWizard.exe" /grant "everyone":(f)
    3⤵
    PID:4920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dfrgui.exe"
  2⤵
  PID:1348
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\dfrgui.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:412
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\dfrgui.exe" /grant "everyone":(f)
    3⤵
    PID:2268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dialer.exe"
  2⤵
  PID:4908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\dialer.exe"
    3⤵
    PID:4072
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\dialer.exe" /grant "everyone":(f)
    3⤵
    PID:3212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\diskpart.exe"
  2⤵
  PID:3868
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\diskpart.exe"
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\diskpart.exe" /grant "everyone":(f)
    3⤵
    PID:5880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\diskperf.exe"
  2⤵
  PID:2708
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\diskperf.exe"
    3⤵
    PID:4600
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\diskperf.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:1908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Dism\DismHost.exe"
  2⤵
  PID:4304
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\Dism\DismHost.exe"
    3⤵
    - Modifies file permissions
    PID:2488
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\Dism\DismHost.exe" /grant "everyone":(f)
    3⤵
    PID:1728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Dism.exe"
  2⤵
  PID:4396
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\Dism.exe"
    3⤵
    PID:5800
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\Dism.exe" /grant "everyone":(f)
    3⤵
    PID:4536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dllhost.exe"
  2⤵
  PID:3624
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\dllhost.exe"
    3⤵
    PID:5220
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\dllhost.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:2400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dllhst3g.exe"
  2⤵
  PID:1584
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\dllhst3g.exe"
    3⤵
    - Modifies file permissions
    PID:3216
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\dllhst3g.exe" /grant "everyone":(f)
    3⤵
    PID:5108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\doskey.exe"
  2⤵
  PID:2244
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\doskey.exe"
    3⤵
    PID:2848
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\doskey.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:3592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dpapimig.exe"
  2⤵
  PID:3844
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\dpapimig.exe"
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\dpapimig.exe" /grant "everyone":(f)
    3⤵
    PID:3420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\DpiScaling.exe"
  2⤵
  PID:4964
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\DpiScaling.exe"
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\DpiScaling.exe" /grant "everyone":(f)
    3⤵
    PID:6112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dplaysvr.exe"
  2⤵
  PID:620
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\dplaysvr.exe"
    3⤵
    - Modifies file permissions
    PID:1556
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\dplaysvr.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dpnsvr.exe"
  2⤵
  PID:2052
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\dpnsvr.exe"
    3⤵
    PID:3660
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\dpnsvr.exe" /grant "everyone":(f)
    3⤵
    PID:2208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\driverquery.exe"
  2⤵
  PID:2668
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\driverquery.exe"
    3⤵
    PID:184
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\driverquery.exe" /grant "everyone":(f)
    3⤵
    PID:2828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dtdump.exe"
  2⤵
  PID:4860
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\dtdump.exe"
    3⤵
    PID:5304
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\dtdump.exe" /grant "everyone":(f)
    3⤵
    PID:5420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dvdplay.exe"
  2⤵
  PID:2268
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\dvdplay.exe"
    3⤵
    PID:4908
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\dvdplay.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:6072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\DWWIN.EXE"
  2⤵
  PID:744
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\DWWIN.EXE"
    3⤵
    - Modifies file permissions
    PID:1100
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\DWWIN.EXE" /grant "everyone":(f)
    3⤵
    PID:4200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dxdiag.exe"
  2⤵
  PID:4348
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\dxdiag.exe"
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\dxdiag.exe" /grant "everyone":(f)
    3⤵
    PID:5312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\EaseOfAccessDialog.exe"
  2⤵
  PID:4116
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\EaseOfAccessDialog.exe"
    3⤵
    - Modifies file permissions
    PID:4176
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\EaseOfAccessDialog.exe" /grant "everyone":(f)
    3⤵
    PID:5404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\edpnotify.exe"
  2⤵
  PID:5276
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\edpnotify.exe"
    3⤵
    - Modifies file permissions
    PID:1192
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\edpnotify.exe" /grant "everyone":(f)
    3⤵
    PID:4428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\efsui.exe"
  2⤵
  PID:3964
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\efsui.exe"
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\efsui.exe" /grant "everyone":(f)
    3⤵
    PID:5472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\EhStorAuthn.exe"
  2⤵
  PID:1124
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\EhStorAuthn.exe"
    3⤵
    PID:5608
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\EhStorAuthn.exe" /grant "everyone":(f)
    3⤵
    PID:5532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\esentutl.exe"
  2⤵
  PID:1012
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\esentutl.exe"
    3⤵
    - Modifies file permissions
    PID:5284
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\esentutl.exe" /grant "everyone":(f)
    3⤵
    PID:4352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\eudcedit.exe"
  2⤵
  PID:3276
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\eudcedit.exe"
    3⤵
    PID:2848
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\eudcedit.exe" /grant "everyone":(f)
    3⤵
    PID:384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\eventcreate.exe"
  2⤵
  PID:5968
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\eventcreate.exe"
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\eventcreate.exe" /grant "everyone":(f)
    3⤵
    PID:3576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\eventvwr.exe"
  2⤵
  PID:4548
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\eventvwr.exe"
    3⤵
    - Modifies file permissions
    PID:5452
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\eventvwr.exe" /grant "everyone":(f)
    3⤵
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\expand.exe"
  2⤵
  PID:1956
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\expand.exe"
    3⤵
    PID:4368
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\expand.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:2112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\explorer.exe"
  2⤵
  PID:1972
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\explorer.exe"
    3⤵
    PID:6072
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\explorer.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:3392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\extrac32.exe"
  2⤵
  PID:3180
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\extrac32.exe"
    3⤵
    PID:5872
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\extrac32.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:5860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\F12\IEChooser.exe"
  2⤵
  PID:5456
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\F12\IEChooser.exe"
    3⤵
    PID:5880
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\F12\IEChooser.exe" /grant "everyone":(f)
    3⤵
    PID:4292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\fc.exe"
  2⤵
  PID:4840
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\fc.exe"
    3⤵
    PID:3780
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\fc.exe" /grant "everyone":(f)
    3⤵
    PID:4372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\find.exe"
  2⤵
  PID:4288
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\find.exe"
    3⤵
    PID:5912
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\find.exe" /grant "everyone":(f)
    3⤵
    PID:3368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\findstr.exe"
  2⤵
  PID:508
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\findstr.exe"
    3⤵
    PID:2496
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\findstr.exe" /grant "everyone":(f)
    3⤵
    PID:4112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\finger.exe"
  2⤵
  PID:1300
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\finger.exe"
    3⤵
    PID:3584
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\finger.exe" /grant "everyone":(f)
    3⤵
    PID:4664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\fixmapi.exe"
  2⤵
  PID:5424
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\fixmapi.exe"
    3⤵
    PID:5648
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\fixmapi.exe" /grant "everyone":(f)
    3⤵
    PID:5760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\fltMC.exe"
  2⤵
  PID:3908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\fltMC.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:2400
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\fltMC.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Fondue.exe"
  2⤵
  PID:3832
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\Fondue.exe"
    3⤵
    PID:5268
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\Fondue.exe" /grant "everyone":(f)
    3⤵
    PID:5108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  PID:4188
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\fontdrvhost.exe"
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\fontdrvhost.exe" /grant "everyone":(f)
    3⤵
    PID:4004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\fontview.exe"
  2⤵
  PID:2196
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\fontview.exe"
    3⤵
    PID:3436
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\fontview.exe" /grant "everyone":(f)
    3⤵
    PID:4548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\forfiles.exe"
  2⤵
  PID:4232
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5576
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\forfiles.exe"
    3⤵
    PID:3096
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\forfiles.exe" /grant "everyone":(f)
    3⤵
    PID:4104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\fsquirt.exe"
  2⤵
  PID:3972
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\fsquirt.exe"
    3⤵
    PID:4660
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\fsquirt.exe" /grant "everyone":(f)
    3⤵
    PID:3896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\fsutil.exe"
  2⤵
  PID:6000
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\fsutil.exe"
    3⤵
    PID:4988
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\fsutil.exe" /grant "everyone":(f)
    3⤵
    PID:1048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ftp.exe"
  2⤵
  PID:6108
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\ftp.exe"
    3⤵
    - Modifies file permissions
    PID:1104
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\ftp.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:5964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\GameBarPresenceWriter.exe"
  2⤵
  PID:2136
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\GameBarPresenceWriter.exe"
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\GameBarPresenceWriter.exe" /grant "everyone":(f)
    3⤵
    PID:3860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\GamePanel.exe"
  2⤵
  PID:448
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\GamePanel.exe"
    3⤵
    PID:3920
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\GamePanel.exe" /grant "everyone":(f)
    3⤵
    PID:1808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\getmac.exe"
  2⤵
  PID:5856
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4820
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\getmac.exe"
    3⤵
    PID:3552
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\getmac.exe" /grant "everyone":(f)
    3⤵
    PID:5688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\gpresult.exe"
  2⤵
  PID:1096
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\gpresult.exe"
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\gpresult.exe" /grant "everyone":(f)
    3⤵
    PID:2868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\gpscript.exe"
  2⤵
  PID:1208
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\gpscript.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:4116
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\gpscript.exe" /grant "everyone":(f)
    3⤵
    PID:4108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\gpupdate.exe"
  2⤵
  PID:6100
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\gpupdate.exe"
    3⤵
    PID:5584
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\gpupdate.exe" /grant "everyone":(f)
    3⤵
    PID:2772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\grpconv.exe"
  2⤵
  PID:6040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\grpconv.exe"
    3⤵
    PID:464
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\grpconv.exe" /grant "everyone":(f)
    3⤵
    PID:5252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\hdwwiz.exe"
  2⤵
  PID:5812
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\hdwwiz.exe"
    3⤵
    PID:3272
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\hdwwiz.exe" /grant "everyone":(f)
    3⤵
    PID:1352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\help.exe"
  2⤵
  PID:5564
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\help.exe"
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\help.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:1356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\hh.exe"
  2⤵
  PID:5632
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\hh.exe"
    3⤵
    PID:5588
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\hh.exe" /grant "everyone":(f)
    3⤵
    PID:2624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\HOSTNAME.EXE"
  2⤵
  PID:4136
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\HOSTNAME.EXE"
    3⤵
    PID:8
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\HOSTNAME.EXE" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:3708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\icacls.exe"
  2⤵
  PID:3760
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\icacls.exe"
    3⤵
    PID:6076
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\icacls.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:4956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\icsunattend.exe"
  2⤵
  PID:4440
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\icsunattend.exe"
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\icsunattend.exe" /grant "everyone":(f)
    3⤵
    PID:2212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ieUnatt.exe"
  2⤵
  PID:3756
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\ieUnatt.exe"
    3⤵
    PID:1444
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\ieUnatt.exe" /grant "everyone":(f)
    3⤵
    PID:3456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\iexpress.exe"
  2⤵
  PID:5500
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\iexpress.exe"
    3⤵
    PID:832
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\iexpress.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:4876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\IMEJP\IMJPDCT.EXE"
  2⤵
  PID:4100
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\IME\IMEJP\IMJPDCT.EXE"
    3⤵
    PID:3844
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\IME\IMEJP\IMJPDCT.EXE" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:3288
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\IMEJP\IMJPSET.EXE"
  2⤵
  PID:2632
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\IME\IMEJP\IMJPSET.EXE"
    3⤵
    PID:1360
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\IME\IMEJP\IMJPSET.EXE" /grant "everyone":(f)
    3⤵
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\IMEJP\IMJPUEX.EXE"
  2⤵
  PID:4732
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\IME\IMEJP\IMJPUEX.EXE"
    3⤵
    PID:3380
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\IME\IMEJP\IMJPUEX.EXE" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:4112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\IMEJP\imjpuexc.exe"
  2⤵
  PID:1908
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\IME\IMEJP\imjpuexc.exe"
    3⤵
    PID:4124
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\IME\IMEJP\imjpuexc.exe" /grant "everyone":(f)
    3⤵
    PID:6004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\IMETC\IMTCLNWZ.EXE"
  2⤵
  PID:3340
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\IME\IMETC\IMTCLNWZ.EXE"
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\IME\IMETC\IMTCLNWZ.EXE" /grant "everyone":(f)
    3⤵
    PID:4228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\IMETC\IMTCPROP.exe"
  2⤵
  PID:6012
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\IME\IMETC\IMTCPROP.exe"
    3⤵
    PID:4504
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\IME\IMETC\IMTCPROP.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:3608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\SHARED\IMCCPHR.exe"
  2⤵
  PID:2700
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\IME\SHARED\IMCCPHR.exe"
    3⤵
    PID:1096
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\IME\SHARED\IMCCPHR.exe" /grant "everyone":(f)
    3⤵
    PID:4724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\SHARED\imecfmui.exe"
  2⤵
  PID:1144
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\IME\SHARED\imecfmui.exe"
    3⤵
    PID:5984
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\IME\SHARED\imecfmui.exe" /grant "everyone":(f)
    3⤵
    PID:5336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\SHARED\IMEPADSV.EXE"
  2⤵
  PID:5024
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\IME\SHARED\IMEPADSV.EXE"
    3⤵
    PID:916
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\IME\SHARED\IMEPADSV.EXE" /grant "everyone":(f)
    3⤵
    PID:5252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\SHARED\IMESEARCH.EXE"
  2⤵
  PID:6040
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\IME\SHARED\IMESEARCH.EXE"
    3⤵
    PID:4588
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\IME\SHARED\IMESEARCH.EXE" /grant "everyone":(f)
    3⤵
    PID:3156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\SHARED\IMEWDBLD.EXE"
  2⤵
  PID:4920
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\IME\SHARED\IMEWDBLD.EXE"
    3⤵
    PID:4192
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\IME\SHARED\IMEWDBLD.EXE" /grant "everyone":(f)
    3⤵
    PID:4936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\InfDefaultInstall.exe"
  2⤵
  PID:3524
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\InfDefaultInstall.exe"
    3⤵
    PID:4488
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\InfDefaultInstall.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:6056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\InputSwitchToastHandler.exe"
  2⤵
  PID:3896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\InputSwitchToastHandler.exe"
    3⤵
    PID:5684
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\InputSwitchToastHandler.exe" /grant "everyone":(f)
    3⤵
    PID:2584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\InstallShield\setup.exe"
  2⤵
  PID:2212
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\InstallShield\setup.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:3820
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\InstallShield\setup.exe" /grant "everyone":(f)
    3⤵
    PID:2516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\InstallShield\_isdel.exe"
  2⤵
  PID:2152
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\InstallShield\_isdel.exe"
    3⤵
    PID:4216
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\InstallShield\_isdel.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:5392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\instnm.exe"
  2⤵
  PID:3052
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\instnm.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:2112
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\instnm.exe" /grant "everyone":(f)
    3⤵
    - Possible privilege escalation attempt
    PID:5368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ipconfig.exe"
  2⤵
  PID:3844
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\ipconfig.exe"
    3⤵
    PID:2748
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\ipconfig.exe" /grant "everyone":(f)
    3⤵
    PID:2136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\iscsicli.exe"
  2⤵
  PID:5268
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\iscsicli.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:3204
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\iscsicli.exe" /grant "everyone":(f)
    3⤵
    - Modifies file permissions
    PID:6080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\iscsicpl.exe"
  2⤵
  PID:4196
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\iscsicpl.exe"
    3⤵
    PID:5128
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\iscsicpl.exe" /grant "everyone":(f)
    3⤵
    PID:2580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\isoburn.exe"
  2⤵
  PID:1584
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\isoburn.exe"
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\isoburn.exe" /grant "everyone":(f)
    3⤵
    PID:3996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ktmutil.exe"
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\ktmutil.exe"
    3⤵
    PID:5004
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\ktmutil.exe" /grant "everyone":(f)
    3⤵
    PID:4492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\label.exe"
  2⤵
  PID:5044
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\label.exe"
    3⤵
    PID:5412
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\label.exe" /grant "everyone":(f)
    3⤵
    PID:4356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\LaunchTM.exe"
  2⤵
  PID:4072
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\LaunchTM.exe"
    3⤵
    PID:5984
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\LaunchTM.exe" /grant "everyone":(f)
    3⤵
    PID:6076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\LaunchWinApp.exe"
  2⤵
  PID:3576
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\LaunchWinApp.exe"
    3⤵
    PID:5736
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\LaunchWinApp.exe" /grant "everyone":(f)
    3⤵
    PID:2260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\lodctr.exe"
  2⤵
  PID:5588
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\lodctr.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:4612
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\lodctr.exe" /grant "everyone":(f)
    3⤵
    PID:3896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\logagent.exe"
  2⤵
  PID:5352
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\logagent.exe"
    3⤵
    PID:5008
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\logagent.exe" /grant "everyone":(f)
    3⤵
    PID:3992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\logman.exe"
  2⤵
  PID:1152
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\logman.exe"
    3⤵
    PID:5368
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\logman.exe" /grant "everyone":(f)
    3⤵
    PID:5708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Magnify.exe"
  2⤵
  PID:2872
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\Magnify.exe"
    3⤵
    PID:5500
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\Magnify.exe" /grant "everyone":(f)
    3⤵
    PID:5784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\makecab.exe"
  2⤵
  PID:3832
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f "C:\Windows\System32\makecab.exe"
    3⤵
    - Possible privilege escalation attempt
    PID:5432
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\System32\makecab.exe" /grant "everyone":(f)
    3⤵
    PID:5304

C:\Windows\msagent\AgentSvr.exe
C:\Windows\msagent\AgentSvr.exe -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:536

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300 0x2ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5152

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious use of SendNotifyMessage
PID:5392
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5392 -s 6204
  2⤵
  PID:5828

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:6000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:4408
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 548 -p 5328 -ip 5328
  2⤵
  PID:4488

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Suspicious use of SendNotifyMessage
PID:5588

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3744

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5328

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:1728

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5276

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4424

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3104

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1584

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1692

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:3556

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5768

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3476

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5228

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:5616

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3988

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5032

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1168

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5640

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3280

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1652

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1996

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4512

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3608

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3536

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3092

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3644

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2244

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1060

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5008

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5288

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5660

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1516

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3208

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3792

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:520

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3500

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5240

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5352

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3660

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5872

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4528

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1188

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4948

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery