Analysis
-
max time kernel
125s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-11-2024 03:13
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://google.com
Resource
win10v2004-20241007-en
General
-
Target
http://google.com
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
INSTALLER.exedescription ioc process Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components INSTALLER.exe -
Downloads MZ/PE file
-
Possible privilege escalation attempt 64 IoCs
Processes:
takeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exepid process 2044 takeown.exe 2116 takeown.exe 3552 takeown.exe 3572 icacls.exe 4312 5196 6076 takeown.exe 2648 icacls.exe 1428 5368 4820 3032 2752 6036 takeown.exe 4900 takeown.exe 5564 takeown.exe 2644 icacls.exe 1796 icacls.exe 5676 takeown.exe 404 takeown.exe 4100 icacls.exe 5340 5624 takeown.exe 3164 takeown.exe 2212 takeown.exe 4312 takeown.exe 5364 icacls.exe 3024 4404 3748 takeown.exe 6084 icacls.exe 1704 icacls.exe 2960 takeown.exe 5360 takeown.exe 4424 icacls.exe 5744 icacls.exe 3680 icacls.exe 4944 icacls.exe 5456 icacls.exe 1848 takeown.exe 1060 732 6000 takeown.exe 5300 takeown.exe 116 icacls.exe 5216 takeown.exe 2908 takeown.exe 3576 takeown.exe 1584 takeown.exe 4396 takeown.exe 560 icacls.exe 3748 icacls.exe 1344 icacls.exe 2972 icacls.exe 4228 takeown.exe 64 takeown.exe 4268 takeown.exe 2420 takeown.exe 164 takeown.exe 5020 icacls.exe 2240 5600 icacls.exe 3872 icacls.exe 4816 takeown.exe -
Executes dropped EXE 6 IoCs
Processes:
Bonzify.exeBonzify.exeINSTALLER.exeAgentSvr.exeINSTALLER.exeINSTALLER.exepid process 5472 Bonzify.exe 1216 Bonzify.exe 2800 INSTALLER.exe 4880 AgentSvr.exe 2420 INSTALLER.exe 6128 INSTALLER.exe -
Loads dropped DLL 9 IoCs
Processes:
INSTALLER.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeINSTALLER.exepid process 2800 INSTALLER.exe 1636 regsvr32.exe 5704 regsvr32.exe 3392 regsvr32.exe 5824 regsvr32.exe 5776 regsvr32.exe 5588 regsvr32.exe 1384 regsvr32.exe 2420 INSTALLER.exe -
Modifies file permissions 1 TTPs 64 IoCs
Processes:
takeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exepid process 2720 takeown.exe 4796 icacls.exe 1176 icacls.exe 5552 5464 icacls.exe 6096 icacls.exe 3948 5292 icacls.exe 2420 takeown.exe 6036 icacls.exe 3176 5500 6028 icacls.exe 2044 takeown.exe 5156 2380 takeown.exe 5708 icacls.exe 3200 1648 takeown.exe 1464 icacls.exe 1764 5224 takeown.exe 3276 icacls.exe 4816 takeown.exe 804 icacls.exe 4100 5692 icacls.exe 2800 takeown.exe 3988 takeown.exe 4568 icacls.exe 5532 takeown.exe 4608 icacls.exe 3032 takeown.exe 3584 3080 2760 takeown.exe 5448 takeown.exe 3396 icacls.exe 4092 5544 icacls.exe 5468 takeown.exe 6052 takeown.exe 5960 takeown.exe 4468 5284 5624 takeown.exe 4780 takeown.exe 3872 icacls.exe 4140 icacls.exe 372 icacls.exe 3232 icacls.exe 4372 takeown.exe 2300 takeown.exe 4696 2432 takeown.exe 3276 5916 2972 4316 takeown.exe 3032 5948 icacls.exe 5772 5920 5392 -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in Windows directory 41 IoCs
Processes:
INSTALLER.exeBonzify.exeBonzify.exedescription ioc process File opened for modification C:\Windows\msagent\AgentCtl.dll INSTALLER.exe File opened for modification C:\Windows\msagent\SET5C03.tmp INSTALLER.exe File created C:\Windows\msagent\SET5C04.tmp INSTALLER.exe File created C:\Windows\msagent\SET5BF1.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\SET5C02.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\AgentDPv.dll INSTALLER.exe File opened for modification C:\Windows\msagent\intl\SET5C5A.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\AgentDp2.dll INSTALLER.exe File opened for modification C:\Windows\msagent\AgentAnm.dll INSTALLER.exe File opened for modification C:\Windows\msagent\SET5C48.tmp INSTALLER.exe File opened for modification C:\Windows\help\SET5C49.tmp INSTALLER.exe File created C:\Windows\help\SET5C49.tmp INSTALLER.exe File created C:\Windows\executables.bin Bonzify.exe File opened for modification C:\Windows\msagent\SET5BF1.tmp INSTALLER.exe File created C:\Windows\msagent\SET5C02.tmp INSTALLER.exe File created C:\Windows\msagent\SET5C05.tmp INSTALLER.exe File opened for modification C:\Windows\help\Agt0409.hlp INSTALLER.exe File opened for modification C:\Windows\msagent\SET5C04.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\AgentSvr.exe INSTALLER.exe File opened for modification C:\Windows\msagent\SET5C05.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\SET5C06.tmp INSTALLER.exe File created C:\Windows\msagent\SET5C08.tmp INSTALLER.exe File opened for modification C:\Windows\INF\agtinst.inf INSTALLER.exe File opened for modification C:\Windows\msagent\mslwvtts.dll INSTALLER.exe File created C:\Windows\msagent\SET5C06.tmp INSTALLER.exe File created C:\Windows\msagent\intl\SET5C5A.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\SET5C5B.tmp INSTALLER.exe File created C:\Windows\msagent\SET5C5B.tmp INSTALLER.exe File created C:\Windows\executables.bin Bonzify.exe File opened for modification C:\Windows\msagent\SET5C07.tmp INSTALLER.exe File created C:\Windows\msagent\SET5C07.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\AgentSR.dll INSTALLER.exe File opened for modification C:\Windows\INF\SET5C09.tmp INSTALLER.exe File created C:\Windows\msagent\SET5C48.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\intl\Agt0409.dll INSTALLER.exe File created C:\Windows\msagent\SET5C03.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\AgentMPx.dll INSTALLER.exe File opened for modification C:\Windows\msagent\SET5C08.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\AgentPsh.dll INSTALLER.exe File created C:\Windows\INF\SET5C09.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\AgtCtl15.tlb INSTALLER.exe -
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
System Location Discovery: System Language Discovery 1 TTPs 41 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exeicacls.exeBonzify.execmd.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetaskkill.exeicacls.exetakeown.execmd.execmd.exeicacls.exeregsvr32.execmd.exeregsvr32.exetakeown.exeregsvr32.exeregsvr32.exeicacls.exetakeown.exeregsvr32.exeregsvr32.exetakeown.exeBonzify.exeicacls.exeicacls.exeregsvr32.execmd.execmd.execmd.exeAgentSvr.exeicacls.exegrpconv.exeINSTALLER.exetaskkill.exeINSTALLER.execmd.exeINSTALLER.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bonzify.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bonzify.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AgentSvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grpconv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language INSTALLER.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language INSTALLER.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language INSTALLER.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 5652 taskkill.exe 4992 taskkill.exe -
Modifies registry class 64 IoCs
Processes:
AgentSvr.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BA90C00-3910-11D1-ACB3-00C04FD97575}\TypeLib AgentSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C8F-7B81-11D0-AC5F-00C04FD97575}\TypeLib AgentSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D0ECB23-9968-11D0-AC6E-00C04FD97575}\TypeLib AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D6589123-FC70-11D0-AC94-00C04FD97575}\2.0\HELPDIR\ = "C:\\Windows\\msagent\\AgentSvr.exe\\" AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1DAB85C3-803A-11D0-AC63-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BD4-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\Version = "2.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD300-5C6E-11D1-9EC1-00C04FD7081F} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C83-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32 AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BD1-7DE6-11D0-91FE-00C04FD701A5}\ = "IAgentCtl" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FileType regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C89-7B81-11D0-AC5F-00C04FD97575}\TypeLib AgentSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93CA0-7B81-11D0-AC5F-00C04FD97575} AgentSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE8EF600-2F82-11D1-ACAC-00C04FD97575}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C4ABF875-8100-11D0-AC63-00C04FD97575}\ = "IAgentCtlUserInput" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C4ABF875-8100-11D0-AC63-00C04FD97575}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4ABF875-8100-11D0-AC63-00C04FD97575}\ = "IAgentCtlUserInput" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D6589121-FC70-11D0-AC94-00C04FD97575}\TypeLib AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0913410-3B44-11D1-ACBA-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D0ECB27-9968-11D0-AC6E-00C04FD97575}\ = "IAgentCtlCommandsWindow" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D0ECB27-9968-11D0-AC6E-00C04FD97575}\TypeLib\Version = "2.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Server AgentSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08C75162-3C9C-11D1-91FE-00C04FD701A5} AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BD9-7DE6-11D0-91FE-00C04FD701A5}\ = "IAgentCtlCharacter" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{822DB1C0-8879-11D1-9EC6-00C04FD7081F} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BE1-7DE6-11D0-91FE-00C04FD701A5} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Character2.2\shellex\PropertySheetHandlers\CharacterPage\ = "{143A62C8-C33B-11D1-84FE-00C04FA34A14}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Control.2\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1DAB85C3-803A-11D0-AC63-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BDF-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A7B93C73-7B81-11D0-AC5F-00C04FD97575} AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C87-7B81-11D0-AC5F-00C04FD97575}\TypeLib\Version = "2.0" AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C8F-7B81-11D0-AC5F-00C04FD97575}\TypeLib\Version = "2.0" AgentSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{98BBE491-2EED-11D1-ACAC-00C04FD97575} AgentSvr.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\MiscStatus regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8563FF20-8ECC-11D1-B9B4-00C04FD97575}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD301-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C83-7B81-11D0-AC5F-00C04FD97575} AgentSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C89-7B81-11D0-AC5F-00C04FD97575}\TypeLib AgentSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C89-7B81-11D0-AC5F-00C04FD97575} AgentSvr.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\Version regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BDF-7DE6-11D0-91FE-00C04FD701A5} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BD4-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31D-5C6E-11D1-9EC1-00C04FD7081F} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7B93C92-7B81-11D0-AC5F-00C04FD97575}\TreatAs\ = "{D45FD2FC-5C6E-11D1-9EC1-00C04FD7081F}" AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C8B-7B81-11D0-AC5F-00C04FD97575}\TypeLib\Version = "2.0" AgentSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D6589121-FC70-11D0-AC94-00C04FD97575}\ProxyStubClsid32 AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BF0-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BD1-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BD4-7DE6-11D0-91FE-00C04FD701A5} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{143A62C8-C33B-11D1-84FE-00C04FA34A14}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D6589123-FC70-11D0-AC94-00C04FD97575}\2.0\0\win32 AgentSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8563FF20-8ECC-11D1-B9B4-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C87-7B81-11D0-AC5F-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}" AgentSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D7A6D440-8872-11D1-9EC6-00C04FD7081F} AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BDF-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD301-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D0ECB23-9968-11D0-AC6E-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}" AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\MiscStatus\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B77181C-D3EF-11D1-8500-00C04FA34A14} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BDD-7DE6-11D0-91FE-00C04FD701A5}\ = "IAgentCtlSpeechInput" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BDD-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\Version = "2.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}\1.5\0\win32 AgentSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D6589123-FC70-11D0-AC94-00C04FD97575} AgentSvr.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 628985.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepid process 4744 msedge.exe 4744 msedge.exe 4812 msedge.exe 4812 msedge.exe 4920 identity_helper.exe 4920 identity_helper.exe 5408 msedge.exe 5408 msedge.exe 5960 msedge.exe 5960 msedge.exe 5960 msedge.exe 5960 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs
Processes:
msedge.exepid process 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
taskkill.exetaskkill.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 5652 taskkill.exe Token: SeDebugPrivilege 4992 taskkill.exe Token: SeTakeOwnershipPrivilege 6036 takeown.exe Token: SeTakeOwnershipPrivilege 1704 takeown.exe Token: SeTakeOwnershipPrivilege 2960 takeown.exe Token: SeTakeOwnershipPrivilege 4336 takeown.exe Token: SeTakeOwnershipPrivilege 2284 takeown.exe Token: SeTakeOwnershipPrivilege 5252 takeown.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
Processes:
msedge.exepid process 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe 4812 msedge.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
Bonzify.exeBonzify.exeINSTALLER.exeAgentSvr.exeINSTALLER.exeINSTALLER.exepid process 5472 Bonzify.exe 1216 Bonzify.exe 2800 INSTALLER.exe 4880 AgentSvr.exe 2420 INSTALLER.exe 6128 INSTALLER.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4812 wrote to memory of 4736 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4736 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 5044 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4744 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4744 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4604 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4604 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4604 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4604 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4604 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4604 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4604 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4604 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4604 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4604 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4604 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4604 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4604 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4604 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4604 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4604 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4604 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4604 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4604 4812 msedge.exe msedge.exe PID 4812 wrote to memory of 4604 4812 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://google.com1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d06b46f8,0x7ff9d06b4708,0x7ff9d06b47182⤵PID:4736
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,11631536847596788406,1899128154349836251,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:22⤵PID:5044
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,11631536847596788406,1899128154349836251,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4744 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,11631536847596788406,1899128154349836251,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:82⤵PID:4604
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11631536847596788406,1899128154349836251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:12⤵PID:1924
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11631536847596788406,1899128154349836251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:12⤵PID:3048
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11631536847596788406,1899128154349836251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3872 /prefetch:12⤵PID:4752
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,11631536847596788406,1899128154349836251,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:82⤵PID:1376
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,11631536847596788406,1899128154349836251,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4920 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11631536847596788406,1899128154349836251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:12⤵PID:2720
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11631536847596788406,1899128154349836251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:12⤵PID:1804
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11631536847596788406,1899128154349836251,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:12⤵PID:3848
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11631536847596788406,1899128154349836251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:12⤵PID:3820
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11631536847596788406,1899128154349836251,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:12⤵PID:4016
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11631536847596788406,1899128154349836251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2748 /prefetch:12⤵PID:5976
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11631536847596788406,1899128154349836251,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:12⤵PID:5984
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11631536847596788406,1899128154349836251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1152 /prefetch:12⤵PID:6132
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11631536847596788406,1899128154349836251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:12⤵PID:5244
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11631536847596788406,1899128154349836251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:12⤵PID:5356
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11631536847596788406,1899128154349836251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1732 /prefetch:12⤵PID:1232
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11631536847596788406,1899128154349836251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:12⤵PID:3472
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11631536847596788406,1899128154349836251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:12⤵PID:3052
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,11631536847596788406,1899128154349836251,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6044 /prefetch:82⤵PID:2284
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11631536847596788406,1899128154349836251,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:12⤵PID:5152
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,11631536847596788406,1899128154349836251,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6284 /prefetch:82⤵PID:5340
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,11631536847596788406,1899128154349836251,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6424 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5408 -
C:\Users\Admin\Downloads\Bonzify.exe"C:\Users\Admin\Downloads\Bonzify.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5472 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KillAgent.bat"3⤵
- System Location Discovery: System Language Discovery
PID:5300 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im AgentSvr.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5652 -
C:\Windows\SysWOW64\takeown.exetakeown /r /d y /f C:\Windows\MsAgent4⤵
- System Location Discovery: System Language Discovery
PID:5464 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\MsAgent /c /t /grant "everyone":(f)4⤵
- System Location Discovery: System Language Discovery
PID:5496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.19041.546_none_9e094af3987dca57\f\svchost.exe"3⤵
- System Location Discovery: System Language Discovery
PID:5852 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.19041.546_none_9e094af3987dca57\f\svchost.exe"4⤵
- Possible privilege escalation attempt
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6036 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.19041.546_none_9e094af3987dca57\f\svchost.exe" /grant "everyone":(f)4⤵
- System Location Discovery: System Language Discovery
PID:1460 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.19041.546_none_9e094af3987dca57\r\svchost.exe"3⤵
- System Location Discovery: System Language Discovery
PID:5596 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.19041.546_none_9e094af3987dca57\r\svchost.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4336 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.19041.546_none_9e094af3987dca57\r\svchost.exe" /grant "everyone":(f)4⤵
- System Location Discovery: System Language Discovery
PID:424 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.19041.546_none_9e094af3987dca57\svchost.exe"3⤵
- System Location Discovery: System Language Discovery
PID:5784 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.19041.546_none_9e094af3987dca57\svchost.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2284 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.19041.546_none_9e094af3987dca57\svchost.exe" /grant "everyone":(f)4⤵
- System Location Discovery: System Language Discovery
PID:4368 -
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exeINSTALLER.exe /q3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2420 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentCtl.dll"4⤵PID:3424
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentDPv.dll"4⤵PID:5008
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\mslwvtts.dll"4⤵PID:6060
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentDP2.dll"4⤵PID:5364
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentMPx.dll"4⤵PID:4372
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentSR.dll"4⤵PID:5212
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentPsh.dll"4⤵PID:5464
-
C:\Windows\msagent\AgentSvr.exe"C:\Windows\msagent\AgentSvr.exe" /regserver4⤵PID:5484
-
C:\Windows\SysWOW64\grpconv.exegrpconv.exe -o4⤵PID:464
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-sethc_31bf3856ad364e35_10.0.19041.1_none_2305f6cf48d996c7\EaseOfAccessDialog.exe"3⤵
- System Location Discovery: System Language Discovery
PID:4900 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-sethc_31bf3856ad364e35_10.0.19041.1_none_2305f6cf48d996c7\EaseOfAccessDialog.exe"4⤵PID:1796
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-sethc_31bf3856ad364e35_10.0.19041.1_none_2305f6cf48d996c7\EaseOfAccessDialog.exe" /grant "everyone":(f)4⤵PID:5380
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-sethc_31bf3856ad364e35_10.0.19041.1_none_2305f6cf48d996c7\sethc.exe"3⤵PID:1092
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-sethc_31bf3856ad364e35_10.0.19041.1_none_2305f6cf48d996c7\sethc.exe"4⤵PID:432
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-sethc_31bf3856ad364e35_10.0.19041.1_none_2305f6cf48d996c7\sethc.exe" /grant "everyone":(f)4⤵
- Modifies file permissions
PID:5692 -
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exeINSTALLER.exe /q3⤵PID:5564
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentCtl.dll"4⤵PID:2340
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentDPv.dll"4⤵PID:5020
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\mslwvtts.dll"4⤵PID:1464
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentDP2.dll"4⤵PID:5744
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentMPx.dll"4⤵PID:3904
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentSR.dll"4⤵PID:5920
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentPsh.dll"4⤵PID:5228
-
C:\Windows\msagent\AgentSvr.exe"C:\Windows\msagent\AgentSvr.exe" /regserver4⤵PID:5780
-
C:\Windows\SysWOW64\grpconv.exegrpconv.exe -o4⤵PID:5432
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-sethc_31bf3856ad364e35_10.0.19041.746_none_4b0e3418084b5511\EaseOfAccessDialog.exe"3⤵PID:5760
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-sethc_31bf3856ad364e35_10.0.19041.746_none_4b0e3418084b5511\EaseOfAccessDialog.exe"4⤵PID:5160
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-sethc_31bf3856ad364e35_10.0.19041.746_none_4b0e3418084b5511\EaseOfAccessDialog.exe" /grant "everyone":(f)4⤵PID:2780
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-sethc_31bf3856ad364e35_10.0.19041.746_none_4b0e3418084b5511\f\EaseOfAccessDialog.exe"3⤵PID:396
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-sethc_31bf3856ad364e35_10.0.19041.746_none_4b0e3418084b5511\f\EaseOfAccessDialog.exe"4⤵PID:3576
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-sethc_31bf3856ad364e35_10.0.19041.746_none_4b0e3418084b5511\f\EaseOfAccessDialog.exe" /grant "everyone":(f)4⤵PID:3392
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-sethc_31bf3856ad364e35_10.0.19041.746_none_4b0e3418084b5511\f\sethc.exe"3⤵PID:2752
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-sethc_31bf3856ad364e35_10.0.19041.746_none_4b0e3418084b5511\f\sethc.exe"4⤵PID:1804
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-sethc_31bf3856ad364e35_10.0.19041.746_none_4b0e3418084b5511\f\sethc.exe" /grant "everyone":(f)4⤵PID:5640
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-sethc_31bf3856ad364e35_10.0.19041.746_none_4b0e3418084b5511\r\EaseOfAccessDialog.exe"3⤵PID:1344
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-sethc_31bf3856ad364e35_10.0.19041.746_none_4b0e3418084b5511\r\EaseOfAccessDialog.exe"4⤵
- Modifies file permissions
PID:2720 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-sethc_31bf3856ad364e35_10.0.19041.746_none_4b0e3418084b5511\r\EaseOfAccessDialog.exe" /grant "everyone":(f)4⤵PID:4316
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-sethc_31bf3856ad364e35_10.0.19041.746_none_4b0e3418084b5511\r\sethc.exe"3⤵PID:4300
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-sethc_31bf3856ad364e35_10.0.19041.746_none_4b0e3418084b5511\r\sethc.exe"4⤵PID:6048
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-sethc_31bf3856ad364e35_10.0.19041.746_none_4b0e3418084b5511\r\sethc.exe" /grant "everyone":(f)4⤵PID:6040
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-sethc_31bf3856ad364e35_10.0.19041.746_none_4b0e3418084b5511\sethc.exe"3⤵PID:6092
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-sethc_31bf3856ad364e35_10.0.19041.746_none_4b0e3418084b5511\sethc.exe"4⤵PID:5884
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-sethc_31bf3856ad364e35_10.0.19041.746_none_4b0e3418084b5511\sethc.exe" /grant "everyone":(f)4⤵PID:4324
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-settingsynchost_31bf3856ad364e35_10.0.19041.1202_none_fef803c70cc0b37b\f\SettingSyncHost.exe"3⤵PID:3164
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-settingsynchost_31bf3856ad364e35_10.0.19041.1202_none_fef803c70cc0b37b\f\SettingSyncHost.exe"4⤵PID:1528
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-settingsynchost_31bf3856ad364e35_10.0.19041.1202_none_fef803c70cc0b37b\f\SettingSyncHost.exe" /grant "everyone":(f)4⤵
- Possible privilege escalation attempt
PID:116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-settingsynchost_31bf3856ad364e35_10.0.19041.1202_none_fef803c70cc0b37b\r\SettingSyncHost.exe"3⤵PID:5156
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-settingsynchost_31bf3856ad364e35_10.0.19041.1202_none_fef803c70cc0b37b\r\SettingSyncHost.exe"4⤵PID:5980
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-settingsynchost_31bf3856ad364e35_10.0.19041.1202_none_fef803c70cc0b37b\r\SettingSyncHost.exe" /grant "everyone":(f)4⤵PID:5360
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-settingsynchost_31bf3856ad364e35_10.0.19041.1202_none_fef803c70cc0b37b\SettingSyncHost.exe"3⤵PID:5436
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-settingsynchost_31bf3856ad364e35_10.0.19041.1202_none_fef803c70cc0b37b\SettingSyncHost.exe"4⤵PID:5136
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-settingsynchost_31bf3856ad364e35_10.0.19041.1202_none_fef803c70cc0b37b\SettingSyncHost.exe" /grant "everyone":(f)4⤵PID:5984
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-settingsynchost_31bf3856ad364e35_10.0.19041.1_none_4028e460f6e7e25b\SettingSyncHost.exe"3⤵PID:5484
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-settingsynchost_31bf3856ad364e35_10.0.19041.1_none_4028e460f6e7e25b\SettingSyncHost.exe"4⤵PID:1628
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-settingsynchost_31bf3856ad364e35_10.0.19041.1_none_4028e460f6e7e25b\SettingSyncHost.exe" /grant "everyone":(f)4⤵
- Modifies file permissions
PID:5292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_b40cbfe2afd2c015\f\wowreg32.exe"3⤵PID:5852
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_b40cbfe2afd2c015\f\wowreg32.exe"4⤵PID:3220
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_b40cbfe2afd2c015\f\wowreg32.exe" /grant "everyone":(f)4⤵
- Possible privilege escalation attempt
PID:5744 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_b40cbfe2afd2c015\r\wowreg32.exe"3⤵PID:3392
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_b40cbfe2afd2c015\r\wowreg32.exe"4⤵PID:2668
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_b40cbfe2afd2c015\r\wowreg32.exe" /grant "everyone":(f)4⤵PID:5920
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_b40cbfe2afd2c015\wowreg32.exe"3⤵PID:1092
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_b40cbfe2afd2c015\wowreg32.exe"4⤵PID:5796
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_b40cbfe2afd2c015\wowreg32.exe" /grant "everyone":(f)4⤵PID:1480
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1_none_f53b118699fc22cb\wowreg32.exe"3⤵PID:5220
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1_none_f53b118699fc22cb\wowreg32.exe"4⤵PID:5768
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1_none_f53b118699fc22cb\wowreg32.exe" /grant "everyone":(f)4⤵PID:5892
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-setx_31bf3856ad364e35_10.0.19041.1_none_6cbc8da4ecceab64\setx.exe"3⤵PID:5544
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-setx_31bf3856ad364e35_10.0.19041.1_none_6cbc8da4ecceab64\setx.exe"4⤵PID:5580
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-setx_31bf3856ad364e35_10.0.19041.1_none_6cbc8da4ecceab64\setx.exe" /grant "everyone":(f)4⤵PID:5300
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.1_none_c513167c1d0a90dd\icsunattend.exe"3⤵PID:1344
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.1_none_c513167c1d0a90dd\icsunattend.exe"4⤵PID:6044
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.1_none_c513167c1d0a90dd\icsunattend.exe" /grant "everyone":(f)4⤵PID:6052
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_7862ecae0548fb54\shrpubw.exe"3⤵PID:560
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_7862ecae0548fb54\shrpubw.exe"4⤵PID:2360
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_7862ecae0548fb54\shrpubw.exe" /grant "everyone":(f)4⤵PID:4428
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_a06b29f6c4bab99e\shrpubw.exe"3⤵PID:6092
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_a06b29f6c4bab99e\shrpubw.exe"4⤵PID:3000
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_a06b29f6c4bab99e\shrpubw.exe" /grant "everyone":(f)4⤵PID:1768
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.1_none_03831cf8d49cee55\prevhost.exe"3⤵PID:5976
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.1_none_03831cf8d49cee55\prevhost.exe"4⤵PID:4568
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.1_none_03831cf8d49cee55\prevhost.exe" /grant "everyone":(f)4⤵PID:5104
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2b8b5a41940eac9f\f\prevhost.exe"3⤵PID:4968
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2b8b5a41940eac9f\f\prevhost.exe"4⤵
- Modifies file permissions
PID:5532 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2b8b5a41940eac9f\f\prevhost.exe" /grant "everyone":(f)4⤵PID:6120
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2b8b5a41940eac9f\prevhost.exe"3⤵PID:5440
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2b8b5a41940eac9f\prevhost.exe"4⤵PID:5484
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2b8b5a41940eac9f\prevhost.exe" /grant "everyone":(f)4⤵
- Modifies file permissions
PID:3276 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2b8b5a41940eac9f\r\prevhost.exe"3⤵PID:4372
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2b8b5a41940eac9f\r\prevhost.exe"4⤵PID:5416
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2b8b5a41940eac9f\r\prevhost.exe" /grant "everyone":(f)4⤵PID:424
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-shutdown-event-tracker_31bf3856ad364e35_10.0.19041.1_none_c319cf869bb64064\shutdown.exe"3⤵PID:1008
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-shutdown-event-tracker_31bf3856ad364e35_10.0.19041.1_none_c319cf869bb64064\shutdown.exe"4⤵PID:3392
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-shutdown-event-tracker_31bf3856ad364e35_10.0.19041.1_none_c319cf869bb64064\shutdown.exe" /grant "everyone":(f)4⤵
- Modifies file permissions
PID:4796 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-sort_31bf3856ad364e35_10.0.19041.1_none_6c03db28ed4132dc\sort.exe"3⤵PID:5596
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-sort_31bf3856ad364e35_10.0.19041.1_none_6c03db28ed4132dc\sort.exe"4⤵PID:5188
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-sort_31bf3856ad364e35_10.0.19041.1_none_6c03db28ed4132dc\sort.exe" /grant "everyone":(f)4⤵PID:4552
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_f28ba6a10743aebc\f\SpeechModelDownload.exe"3⤵PID:5452
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_f28ba6a10743aebc\f\SpeechModelDownload.exe"4⤵PID:5520
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_f28ba6a10743aebc\f\SpeechModelDownload.exe" /grant "everyone":(f)4⤵PID:5092
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_f28ba6a10743aebc\r\SpeechModelDownload.exe"3⤵PID:5924
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_f28ba6a10743aebc\r\SpeechModelDownload.exe"4⤵PID:5300
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_f28ba6a10743aebc\r\SpeechModelDownload.exe" /grant "everyone":(f)4⤵
- Modifies file permissions
PID:5544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_f28ba6a10743aebc\SpeechModelDownload.exe"3⤵PID:5764
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_f28ba6a10743aebc\SpeechModelDownload.exe"4⤵PID:4936
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_f28ba6a10743aebc\SpeechModelDownload.exe" /grant "everyone":(f)4⤵PID:404
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.264_none_5b8f61a9b1063622\SpeechModelDownload.exe"3⤵PID:2492
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.264_none_5b8f61a9b1063622\SpeechModelDownload.exe"4⤵PID:5180
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.264_none_5b8f61a9b1063622\SpeechModelDownload.exe" /grant "everyone":(f)4⤵PID:6096
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-srdelayed_31bf3856ad364e35_10.0.19041.1_none_16a30fa92fe5e343\srdelayed.exe"3⤵PID:588
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-srdelayed_31bf3856ad364e35_10.0.19041.1_none_16a30fa92fe5e343\srdelayed.exe"4⤵PID:5380
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-srdelayed_31bf3856ad364e35_10.0.19041.1_none_16a30fa92fe5e343\srdelayed.exe" /grant "everyone":(f)4⤵PID:2652
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-storage-diagnostics_31bf3856ad364e35_10.0.19041.1_none_34f70c73dc049744\stordiag.exe"3⤵PID:1076
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-storage-diagnostics_31bf3856ad364e35_10.0.19041.1_none_34f70c73dc049744\stordiag.exe"4⤵
- Possible privilege escalation attempt
PID:4900 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-storage-diagnostics_31bf3856ad364e35_10.0.19041.1_none_34f70c73dc049744\stordiag.exe" /grant "everyone":(f)4⤵PID:3064
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.1_none_29c6c4eed050af59\SyncHost.exe"3⤵PID:5576
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.1_none_29c6c4eed050af59\SyncHost.exe"4⤵PID:5212
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.1_none_29c6c4eed050af59\SyncHost.exe" /grant "everyone":(f)4⤵PID:5136
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_51cf02378fc26da3\f\SyncHost.exe"3⤵PID:5484
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_51cf02378fc26da3\f\SyncHost.exe"4⤵PID:1176
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_51cf02378fc26da3\f\SyncHost.exe" /grant "everyone":(f)4⤵PID:5624
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_51cf02378fc26da3\r\SyncHost.exe"3⤵PID:5416
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_51cf02378fc26da3\r\SyncHost.exe"4⤵PID:2780
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_51cf02378fc26da3\r\SyncHost.exe" /grant "everyone":(f)4⤵PID:3576
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_51cf02378fc26da3\SyncHost.exe"3⤵PID:5952
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_51cf02378fc26da3\SyncHost.exe"4⤵PID:5644
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_51cf02378fc26da3\SyncHost.exe" /grant "everyone":(f)4⤵PID:1200
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-sysinfo_31bf3856ad364e35_10.0.19041.1_none_af9a68f0cc4d15fb\systeminfo.exe"3⤵PID:5768
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-sysinfo_31bf3856ad364e35_10.0.19041.1_none_af9a68f0cc4d15fb\systeminfo.exe"4⤵PID:6020
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-sysinfo_31bf3856ad364e35_10.0.19041.1_none_af9a68f0cc4d15fb\systeminfo.exe" /grant "everyone":(f)4⤵PID:4364
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_551afa5edf8be30e\SystemPropertiesRemote.exe"3⤵PID:6100
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_551afa5edf8be30e\SystemPropertiesRemote.exe"4⤵
- Modifies file permissions
PID:4316 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_551afa5edf8be30e\SystemPropertiesRemote.exe" /grant "everyone":(f)4⤵PID:2212
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-systray_31bf3856ad364e35_10.0.19041.1_none_b39734a8c9c85bd3\systray.exe"3⤵PID:4368
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-systray_31bf3856ad364e35_10.0.19041.1_none_b39734a8c9c85bd3\systray.exe"4⤵PID:5128
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-systray_31bf3856ad364e35_10.0.19041.1_none_b39734a8c9c85bd3\systray.exe" /grant "everyone":(f)4⤵PID:3552
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..acyinkingcomponents_31bf3856ad364e35_10.0.19041.1_none_023783a15d5391a7\pipanel.exe"3⤵PID:5764
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..acyinkingcomponents_31bf3856ad364e35_10.0.19041.1_none_023783a15d5391a7\pipanel.exe"4⤵PID:2068
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..acyinkingcomponents_31bf3856ad364e35_10.0.19041.1_none_023783a15d5391a7\pipanel.exe" /grant "everyone":(f)4⤵PID:4436
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_10.0.19041.1_none_5d7644a9644fd29d\ctfmon.exe"3⤵PID:1060
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_10.0.19041.1_none_5d7644a9644fd29d\ctfmon.exe"4⤵
- Modifies file permissions
PID:2800 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_10.0.19041.1_none_5d7644a9644fd29d\ctfmon.exe" /grant "everyone":(f)4⤵PID:5380
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.1_none_24a9c1e1e1b0f793\ttdinject.exe"3⤵PID:1528
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.1_none_24a9c1e1e1b0f793\ttdinject.exe"4⤵PID:384
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.1_none_24a9c1e1e1b0f793\ttdinject.exe" /grant "everyone":(f)4⤵PID:5976
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.1_none_24a9c1e1e1b0f793\tttracer.exe"3⤵PID:3636
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.1_none_24a9c1e1e1b0f793\tttracer.exe"4⤵PID:1076
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.1_none_24a9c1e1e1b0f793\tttracer.exe" /grant "everyone":(f)4⤵PID:4968
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_4cb1ff2aa122b5dd\f\tttracer.exe"3⤵PID:2072
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_4cb1ff2aa122b5dd\f\tttracer.exe"4⤵PID:5576
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_4cb1ff2aa122b5dd\f\tttracer.exe" /grant "everyone":(f)4⤵PID:6128
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_4cb1ff2aa122b5dd\r\tttracer.exe"3⤵PID:5148
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_4cb1ff2aa122b5dd\r\tttracer.exe"4⤵
- Possible privilege escalation attempt
PID:2116 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_4cb1ff2aa122b5dd\r\tttracer.exe" /grant "everyone":(f)4⤵PID:5468
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_4cb1ff2aa122b5dd\ttdinject.exe"3⤵PID:1628
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_4cb1ff2aa122b5dd\ttdinject.exe"4⤵
- Modifies file permissions
PID:4372 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_4cb1ff2aa122b5dd\ttdinject.exe" /grant "everyone":(f)4⤵PID:5524
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_4cb1ff2aa122b5dd\tttracer.exe"3⤵PID:5968
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_4cb1ff2aa122b5dd\tttracer.exe"4⤵PID:4552
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_4cb1ff2aa122b5dd\tttracer.exe" /grant "everyone":(f)4⤵PID:3144
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\change.exe"3⤵PID:1804
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\change.exe"4⤵PID:5176
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\change.exe" /grant "everyone":(f)4⤵PID:4460
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\chglogon.exe"3⤵PID:2432
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\chglogon.exe"4⤵PID:2752
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\chglogon.exe" /grant "everyone":(f)4⤵
- Possible privilege escalation attempt
PID:1796 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\chgport.exe"3⤵PID:2396
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\chgport.exe"4⤵PID:3552
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\chgport.exe" /grant "everyone":(f)4⤵PID:5916
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\chgusr.exe"3⤵PID:3988
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\chgusr.exe"4⤵PID:4300
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\chgusr.exe" /grant "everyone":(f)4⤵PID:5552
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\logoff.exe"3⤵PID:6092
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\logoff.exe"4⤵PID:1484
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\logoff.exe" /grant "everyone":(f)4⤵PID:3432
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\qappsrv.exe"3⤵PID:6080
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\qappsrv.exe"4⤵
- Possible privilege escalation attempt
PID:4268 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\qappsrv.exe" /grant "everyone":(f)4⤵PID:1376
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\qprocess.exe"3⤵PID:3056
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\qprocess.exe"4⤵PID:3636
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\qprocess.exe" /grant "everyone":(f)4⤵PID:5116
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\query.exe"3⤵PID:5292
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\query.exe"4⤵PID:5988
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\query.exe" /grant "everyone":(f)4⤵PID:5160
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\reset.exe"3⤵PID:5468
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\reset.exe"4⤵PID:5624
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\reset.exe" /grant "everyone":(f)4⤵PID:4372
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\rwinsta.exe"3⤵PID:3576
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\rwinsta.exe"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2420 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\rwinsta.exe" /grant "everyone":(f)4⤵PID:2668
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\tscon.exe"3⤵PID:2284
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\tscon.exe"4⤵PID:5952
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\tscon.exe" /grant "everyone":(f)4⤵PID:5092
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\tsdiscon.exe"3⤵PID:5892
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\tsdiscon.exe"4⤵PID:848
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\tsdiscon.exe" /grant "everyone":(f)4⤵
- Possible privilege escalation attempt
PID:5600 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\tskill.exe"3⤵PID:6100
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\tskill.exe"4⤵PID:5300
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\tskill.exe" /grant "everyone":(f)4⤵PID:5580
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_ccf6cb6d0aa9a822\f\mstsc.exe"3⤵PID:5992
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_ccf6cb6d0aa9a822\f\mstsc.exe"4⤵PID:6056
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_ccf6cb6d0aa9a822\f\mstsc.exe" /grant "everyone":(f)4⤵PID:4092
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_ccf6cb6d0aa9a822\mstsc.exe"3⤵PID:2068
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_ccf6cb6d0aa9a822\mstsc.exe"4⤵
- Modifies file permissions
PID:3988 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_ccf6cb6d0aa9a822\mstsc.exe" /grant "everyone":(f)4⤵PID:2492
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_ccf6cb6d0aa9a822\r\mstsc.exe"3⤵PID:6060
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_ccf6cb6d0aa9a822\r\mstsc.exe"4⤵PID:3164
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_ccf6cb6d0aa9a822\r\mstsc.exe" /grant "everyone":(f)4⤵PID:1516
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1_none_0e22056af4d5d874\mstsc.exe"3⤵PID:4676
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1_none_0e22056af4d5d874\mstsc.exe"4⤵PID:5368
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1_none_0e22056af4d5d874\mstsc.exe" /grant "everyone":(f)4⤵
- Modifies file permissions
PID:4568 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..onagent-proxyobject_31bf3856ad364e35_10.0.19041.1_none_23bb28d0952bcec8\RdpSaProxy.exe"3⤵PID:5364
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..onagent-proxyobject_31bf3856ad364e35_10.0.19041.1_none_23bb28d0952bcec8\RdpSaProxy.exe"4⤵PID:2240
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..onagent-proxyobject_31bf3856ad364e35_10.0.19041.1_none_23bb28d0952bcec8\RdpSaProxy.exe" /grant "everyone":(f)4⤵PID:996
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..rvices-sessionagent_31bf3856ad364e35_10.0.19041.1_none_3b97be772075a03a\RdpSa.exe"3⤵PID:5708
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..rvices-sessionagent_31bf3856ad364e35_10.0.19041.1_none_3b97be772075a03a\RdpSa.exe"4⤵PID:5232
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..rvices-sessionagent_31bf3856ad364e35_10.0.19041.1_none_3b97be772075a03a\RdpSa.exe" /grant "everyone":(f)4⤵
- Modifies file permissions
PID:6028 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..sionagent-uachelper_31bf3856ad364e35_10.0.19041.1_none_7aff9045397d4a4c\RdpSaUacHelper.exe"3⤵PID:5376
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..sionagent-uachelper_31bf3856ad364e35_10.0.19041.1_none_7aff9045397d4a4c\RdpSaUacHelper.exe"4⤵PID:5444
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..sionagent-uachelper_31bf3856ad364e35_10.0.19041.1_none_7aff9045397d4a4c\RdpSaUacHelper.exe" /grant "everyone":(f)4⤵PID:1440
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.1_none_d1d4cd9c4b409594\TabTip32.exe"3⤵PID:2960
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.1_none_d1d4cd9c4b409594\TabTip32.exe"4⤵PID:808
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.1_none_d1d4cd9c4b409594\TabTip32.exe" /grant "everyone":(f)4⤵PID:3416
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-takeown_31bf3856ad364e35_10.0.19041.1_none_ba311d9fe95c6271\takeown.exe"3⤵PID:5796
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-takeown_31bf3856ad364e35_10.0.19041.1_none_ba311d9fe95c6271\takeown.exe"4⤵PID:5744
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-takeown_31bf3856ad364e35_10.0.19041.1_none_ba311d9fe95c6271\takeown.exe" /grant "everyone":(f)4⤵PID:1200
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tapicore_31bf3856ad364e35_10.0.19041.1_none_a47f90601a54e2cd\dialer.exe"3⤵PID:2284
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tapicore_31bf3856ad364e35_10.0.19041.1_none_a47f90601a54e2cd\dialer.exe"4⤵
- Possible privilege escalation attempt
PID:5564 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tapicore_31bf3856ad364e35_10.0.19041.1_none_a47f90601a54e2cd\dialer.exe" /grant "everyone":(f)4⤵PID:848
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tapisetup_31bf3856ad364e35_10.0.19041.1_none_2a38e2996ee84e57\TapiUnattend.exe"3⤵PID:1668
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tapisetup_31bf3856ad364e35_10.0.19041.1_none_2a38e2996ee84e57\TapiUnattend.exe"4⤵PID:6000
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tapisetup_31bf3856ad364e35_10.0.19041.1_none_2a38e2996ee84e57\TapiUnattend.exe" /grant "everyone":(f)4⤵PID:3584
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tapisetup_31bf3856ad364e35_10.0.19041.746_none_52411fe22e5a0ca1\TapiUnattend.exe"3⤵PID:6100
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tapisetup_31bf3856ad364e35_10.0.19041.746_none_52411fe22e5a0ca1\TapiUnattend.exe"4⤵PID:6056
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tapisetup_31bf3856ad364e35_10.0.19041.746_none_52411fe22e5a0ca1\TapiUnattend.exe" /grant "everyone":(f)4⤵
- Possible privilege escalation attempt
PID:560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-taskkill_31bf3856ad364e35_10.0.19041.1_none_e5c3b6db2fced475\taskkill.exe"3⤵PID:5784
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-taskkill_31bf3856ad364e35_10.0.19041.1_none_e5c3b6db2fced475\taskkill.exe"4⤵PID:2644
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-taskkill_31bf3856ad364e35_10.0.19041.1_none_e5c3b6db2fced475\taskkill.exe" /grant "everyone":(f)4⤵PID:2548
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tasklist_31bf3856ad364e35_10.0.19041.1_none_e888ea072e0fed05\tasklist.exe"3⤵PID:1064
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tasklist_31bf3856ad364e35_10.0.19041.1_none_e888ea072e0fed05\tasklist.exe"4⤵PID:3128
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tasklist_31bf3856ad364e35_10.0.19041.1_none_e888ea072e0fed05\tasklist.exe" /grant "everyone":(f)4⤵PID:4280
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\ARP.EXE"3⤵PID:5896
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\ARP.EXE"4⤵PID:4416
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\ARP.EXE" /grant "everyone":(f)4⤵PID:1060
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\finger.exe"3⤵PID:4200
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\finger.exe"4⤵PID:3064
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\finger.exe" /grant "everyone":(f)4⤵PID:5532
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\HOSTNAME.EXE"3⤵PID:5436
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\HOSTNAME.EXE"4⤵PID:5708
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\HOSTNAME.EXE" /grant "everyone":(f)4⤵PID:4228
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\MRINFO.EXE"3⤵PID:5136
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\MRINFO.EXE"4⤵PID:5376
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\MRINFO.EXE" /grant "everyone":(f)4⤵
- Modifies file permissions
PID:4140 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\NETSTAT.EXE"3⤵PID:4372
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\NETSTAT.EXE"4⤵PID:5604
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\NETSTAT.EXE" /grant "everyone":(f)4⤵PID:5336
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\ROUTE.EXE"3⤵PID:4468
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\ROUTE.EXE"4⤵PID:5268
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\ROUTE.EXE" /grant "everyone":(f)4⤵PID:1384
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\TCPSVCS.EXE"3⤵PID:5492
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\TCPSVCS.EXE"4⤵
- Possible privilege escalation attempt
PID:2908 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\TCPSVCS.EXE" /grant "everyone":(f)4⤵PID:2380
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.1_none_21cb4db26317f32e\netiougc.exe"3⤵PID:1804
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.1_none_21cb4db26317f32e\netiougc.exe"4⤵PID:5788
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.1_none_21cb4db26317f32e\netiougc.exe" /grant "everyone":(f)4⤵PID:5012
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.746_none_49d38afb2289b178\f\netiougc.exe"3⤵PID:4368
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.746_none_49d38afb2289b178\f\netiougc.exe"4⤵PID:2976
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.746_none_49d38afb2289b178\f\netiougc.exe" /grant "everyone":(f)4⤵PID:5256
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.746_none_49d38afb2289b178\netiougc.exe"3⤵PID:6104
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.746_none_49d38afb2289b178\netiougc.exe"4⤵PID:4780
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.746_none_49d38afb2289b178\netiougc.exe" /grant "everyone":(f)4⤵PID:2044
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.746_none_49d38afb2289b178\r\netiougc.exe"3⤵PID:5348
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.746_none_49d38afb2289b178\r\netiougc.exe"4⤵
- Possible privilege escalation attempt
PID:164 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.746_none_49d38afb2289b178\r\netiougc.exe" /grant "everyone":(f)4⤵PID:6112
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-terminalservices-theme_31bf3856ad364e35_10.0.19041.1_none_962bc7b24e8d9f3a\TSTheme.exe"3⤵PID:1060
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-terminalservices-theme_31bf3856ad364e35_10.0.19041.1_none_962bc7b24e8d9f3a\TSTheme.exe"4⤵PID:1576
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-terminalservices-theme_31bf3856ad364e35_10.0.19041.1_none_962bc7b24e8d9f3a\TSTheme.exe" /grant "everyone":(f)4⤵PID:6116
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-terminalservices-theme_31bf3856ad364e35_10.0.19041.746_none_be3404fb0dff5d84\f\TSTheme.exe"3⤵PID:5532
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-terminalservices-theme_31bf3856ad364e35_10.0.19041.746_none_be3404fb0dff5d84\f\TSTheme.exe"4⤵PID:1376
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-terminalservices-theme_31bf3856ad364e35_10.0.19041.746_none_be3404fb0dff5d84\f\TSTheme.exe" /grant "everyone":(f)4⤵
- Possible privilege escalation attempt
PID:5456 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-terminalservices-theme_31bf3856ad364e35_10.0.19041.746_none_be3404fb0dff5d84\r\TSTheme.exe"3⤵PID:5224
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-terminalservices-theme_31bf3856ad364e35_10.0.19041.746_none_be3404fb0dff5d84\r\TSTheme.exe"4⤵PID:1620
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-terminalservices-theme_31bf3856ad364e35_10.0.19041.746_none_be3404fb0dff5d84\r\TSTheme.exe" /grant "everyone":(f)4⤵PID:3948
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-terminalservices-theme_31bf3856ad364e35_10.0.19041.746_none_be3404fb0dff5d84\TSTheme.exe"3⤵PID:5376
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-terminalservices-theme_31bf3856ad364e35_10.0.19041.746_none_be3404fb0dff5d84\TSTheme.exe"4⤵PID:5748
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-terminalservices-theme_31bf3856ad364e35_10.0.19041.746_none_be3404fb0dff5d84\TSTheme.exe" /grant "everyone":(f)4⤵
- Modifies file permissions
PID:1176 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-thumbexthost_31bf3856ad364e35_10.0.19041.1_none_b0b2b0b01128fbbb\ThumbnailExtractionHost.exe"3⤵PID:808
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-thumbexthost_31bf3856ad364e35_10.0.19041.1_none_b0b2b0b01128fbbb\ThumbnailExtractionHost.exe"4⤵PID:396
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-thumbexthost_31bf3856ad364e35_10.0.19041.1_none_b0b2b0b01128fbbb\ThumbnailExtractionHost.exe" /grant "everyone":(f)4⤵PID:5804
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-thumbexthost_31bf3856ad364e35_10.0.19041.746_none_d8baedf8d09aba05\f\ThumbnailExtractionHost.exe"3⤵PID:5452
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-thumbexthost_31bf3856ad364e35_10.0.19041.746_none_d8baedf8d09aba05\f\ThumbnailExtractionHost.exe"4⤵PID:5596
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-thumbexthost_31bf3856ad364e35_10.0.19041.746_none_d8baedf8d09aba05\f\ThumbnailExtractionHost.exe" /grant "everyone":(f)4⤵PID:5664
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-thumbexthost_31bf3856ad364e35_10.0.19041.746_none_d8baedf8d09aba05\r\ThumbnailExtractionHost.exe"3⤵PID:3424
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-thumbexthost_31bf3856ad364e35_10.0.19041.746_none_d8baedf8d09aba05\r\ThumbnailExtractionHost.exe"4⤵
- Possible privilege escalation attempt
PID:5676 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-thumbexthost_31bf3856ad364e35_10.0.19041.746_none_d8baedf8d09aba05\r\ThumbnailExtractionHost.exe" /grant "everyone":(f)4⤵PID:64
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-thumbexthost_31bf3856ad364e35_10.0.19041.746_none_d8baedf8d09aba05\ThumbnailExtractionHost.exe"3⤵PID:6000
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-thumbexthost_31bf3856ad364e35_10.0.19041.746_none_d8baedf8d09aba05\ThumbnailExtractionHost.exe"4⤵PID:3596
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-thumbexthost_31bf3856ad364e35_10.0.19041.746_none_d8baedf8d09aba05\ThumbnailExtractionHost.exe" /grant "everyone":(f)4⤵PID:5812
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-time-tool_31bf3856ad364e35_10.0.19041.1_none_ad4ed32c0facc27c\w32tm.exe"3⤵PID:2644
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-time-tool_31bf3856ad364e35_10.0.19041.1_none_ad4ed32c0facc27c\w32tm.exe"4⤵
- Possible privilege escalation attempt
PID:3552 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-time-tool_31bf3856ad364e35_10.0.19041.1_none_ad4ed32c0facc27c\w32tm.exe" /grant "everyone":(f)4⤵PID:3164
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-timeout_31bf3856ad364e35_10.0.19041.1_none_4caa24969a02f9c3\timeout.exe"3⤵PID:1704
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-timeout_31bf3856ad364e35_10.0.19041.1_none_4caa24969a02f9c3\timeout.exe"4⤵PID:6104
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-timeout_31bf3856ad364e35_10.0.19041.1_none_4caa24969a02f9c3\timeout.exe" /grant "everyone":(f)4⤵PID:1068
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tpm-adminsnapin_31bf3856ad364e35_10.0.19041.1_none_37c2cec4b2ff6c9c\TpmInit.exe"3⤵PID:804
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tpm-adminsnapin_31bf3856ad364e35_10.0.19041.1_none_37c2cec4b2ff6c9c\TpmInit.exe"4⤵
- Possible privilege escalation attempt
PID:6076 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tpm-adminsnapin_31bf3856ad364e35_10.0.19041.1_none_37c2cec4b2ff6c9c\TpmInit.exe" /grant "everyone":(f)4⤵PID:212
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.19041.1202_none_7d4ea219d613c9d8\f\TpmTool.exe"3⤵PID:5104
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.19041.1202_none_7d4ea219d613c9d8\f\TpmTool.exe"4⤵PID:4568
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.19041.1202_none_7d4ea219d613c9d8\f\TpmTool.exe" /grant "everyone":(f)4⤵PID:3920
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.19041.1202_none_7d4ea219d613c9d8\r\TpmTool.exe"3⤵PID:2372
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.19041.1202_none_7d4ea219d613c9d8\r\TpmTool.exe"4⤵PID:3636
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.19041.1202_none_7d4ea219d613c9d8\r\TpmTool.exe" /grant "everyone":(f)4⤵PID:5292
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.19041.1202_none_7d4ea219d613c9d8\TpmTool.exe"3⤵PID:5424
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.19041.1202_none_7d4ea219d613c9d8\TpmTool.exe"4⤵PID:400
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.19041.1202_none_7d4ea219d613c9d8\TpmTool.exe" /grant "everyone":(f)4⤵
- Possible privilege escalation attempt
PID:5020 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.19041.1_none_be7f82b3c03af8b8\TpmTool.exe"3⤵PID:5524
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.19041.1_none_be7f82b3c03af8b8\TpmTool.exe"4⤵PID:396
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.19041.1_none_be7f82b3c03af8b8\TpmTool.exe" /grant "everyone":(f)4⤵
- Modifies file permissions
PID:1464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-twinui_31bf3856ad364e35_10.0.19041.1202_none_f2bc4eeca2f84338\f\LaunchWinApp.exe"3⤵PID:4348
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-twinui_31bf3856ad364e35_10.0.19041.1202_none_f2bc4eeca2f84338\f\LaunchWinApp.exe"4⤵PID:1364
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-twinui_31bf3856ad364e35_10.0.19041.1202_none_f2bc4eeca2f84338\f\LaunchWinApp.exe" /grant "everyone":(f)4⤵PID:5744
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-twinui_31bf3856ad364e35_10.0.19041.1202_none_f2bc4eeca2f84338\LaunchWinApp.exe"3⤵PID:4316
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-twinui_31bf3856ad364e35_10.0.19041.1202_none_f2bc4eeca2f84338\LaunchWinApp.exe"4⤵PID:5452
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-twinui_31bf3856ad364e35_10.0.19041.1202_none_f2bc4eeca2f84338\LaunchWinApp.exe" /grant "everyone":(f)4⤵PID:4948
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-twinui_31bf3856ad364e35_10.0.19041.1202_none_f2bc4eeca2f84338\r\LaunchWinApp.exe"3⤵PID:64
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-twinui_31bf3856ad364e35_10.0.19041.1202_none_f2bc4eeca2f84338\r\LaunchWinApp.exe"4⤵PID:5584
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-twinui_31bf3856ad364e35_10.0.19041.1202_none_f2bc4eeca2f84338\r\LaunchWinApp.exe" /grant "everyone":(f)4⤵PID:3596
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-twinui_31bf3856ad364e35_10.0.19041.264_none_5bddc2e54ca343d3\LaunchWinApp.exe"3⤵PID:4516
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-twinui_31bf3856ad364e35_10.0.19041.264_none_5bddc2e54ca343d3\LaunchWinApp.exe"4⤵PID:2724
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-twinui_31bf3856ad364e35_10.0.19041.264_none_5bddc2e54ca343d3\LaunchWinApp.exe" /grant "everyone":(f)4⤵PID:1904
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tzutil_31bf3856ad364e35_10.0.19041.1_none_f4898caed6e558be\tzutil.exe"3⤵PID:6032
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tzutil_31bf3856ad364e35_10.0.19041.1_none_f4898caed6e558be\tzutil.exe"4⤵PID:2644
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tzutil_31bf3856ad364e35_10.0.19041.1_none_f4898caed6e558be\tzutil.exe" /grant "everyone":(f)4⤵PID:2548
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-u..etry-client-wowonly_31bf3856ad364e35_10.0.19041.1_none_4c7da197e5837576\dtdump.exe"3⤵PID:3128
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-u..etry-client-wowonly_31bf3856ad364e35_10.0.19041.1_none_4c7da197e5837576\dtdump.exe"4⤵PID:3000
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-u..etry-client-wowonly_31bf3856ad364e35_10.0.19041.1_none_4c7da197e5837576\dtdump.exe" /grant "everyone":(f)4⤵PID:4436
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-u..etry-client-wowonly_31bf3856ad364e35_10.0.19041.662_none_746c3bfaa509091f\dtdump.exe"3⤵PID:2652
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-u..etry-client-wowonly_31bf3856ad364e35_10.0.19041.662_none_746c3bfaa509091f\dtdump.exe"4⤵PID:6048
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-u..etry-client-wowonly_31bf3856ad364e35_10.0.19041.662_none_746c3bfaa509091f\dtdump.exe" /grant "everyone":(f)4⤵PID:5552
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-u..etry-client-wowonly_31bf3856ad364e35_10.0.19041.662_none_746c3bfaa509091f\f\dtdump.exe"3⤵PID:3024
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-u..etry-client-wowonly_31bf3856ad364e35_10.0.19041.662_none_746c3bfaa509091f\f\dtdump.exe"4⤵PID:2648
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-u..etry-client-wowonly_31bf3856ad364e35_10.0.19041.662_none_746c3bfaa509091f\f\dtdump.exe" /grant "everyone":(f)4⤵PID:5104
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-u..etry-client-wowonly_31bf3856ad364e35_10.0.19041.662_none_746c3bfaa509091f\r\dtdump.exe"3⤵PID:4272
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-u..etry-client-wowonly_31bf3856ad364e35_10.0.19041.662_none_746c3bfaa509091f\r\dtdump.exe"4⤵PID:2760
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-u..etry-client-wowonly_31bf3856ad364e35_10.0.19041.662_none_746c3bfaa509091f\r\dtdump.exe" /grant "everyone":(f)4⤵PID:2372
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-u..onwakesettingflyout_31bf3856ad364e35_10.0.19041.1_none_6c93021db54246b0\PasswordOnWakeSettingFlyout.exe"3⤵PID:1176
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5748
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-u..onwakesettingflyout_31bf3856ad364e35_10.0.19041.1_none_6c93021db54246b0\PasswordOnWakeSettingFlyout.exe"4⤵PID:5020
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-u..onwakesettingflyout_31bf3856ad364e35_10.0.19041.1_none_6c93021db54246b0\PasswordOnWakeSettingFlyout.exe" /grant "everyone":(f)4⤵PID:5392
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-u..onwakesettingflyout_31bf3856ad364e35_10.0.19041.746_none_949b3f6674b404fa\f\PasswordOnWakeSettingFlyout.exe"3⤵PID:5820
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-u..onwakesettingflyout_31bf3856ad364e35_10.0.19041.746_none_949b3f6674b404fa\f\PasswordOnWakeSettingFlyout.exe"4⤵
- Possible privilege escalation attempt
PID:2960 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-u..onwakesettingflyout_31bf3856ad364e35_10.0.19041.746_none_949b3f6674b404fa\f\PasswordOnWakeSettingFlyout.exe" /grant "everyone":(f)4⤵PID:3220
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-u..onwakesettingflyout_31bf3856ad364e35_10.0.19041.746_none_949b3f6674b404fa\PasswordOnWakeSettingFlyout.exe"3⤵PID:4372
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-u..onwakesettingflyout_31bf3856ad364e35_10.0.19041.746_none_949b3f6674b404fa\PasswordOnWakeSettingFlyout.exe"4⤵PID:5604
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-u..onwakesettingflyout_31bf3856ad364e35_10.0.19041.746_none_949b3f6674b404fa\PasswordOnWakeSettingFlyout.exe" /grant "everyone":(f)4⤵PID:4608
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-u..onwakesettingflyout_31bf3856ad364e35_10.0.19041.746_none_949b3f6674b404fa\r\PasswordOnWakeSettingFlyout.exe"3⤵PID:5960
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-u..onwakesettingflyout_31bf3856ad364e35_10.0.19041.746_none_949b3f6674b404fa\r\PasswordOnWakeSettingFlyout.exe"4⤵PID:5220
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-u..onwakesettingflyout_31bf3856ad364e35_10.0.19041.746_none_949b3f6674b404fa\r\PasswordOnWakeSettingFlyout.exe" /grant "everyone":(f)4⤵PID:5164
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-u..ountcontrolsettings_31bf3856ad364e35_10.0.19041.1_none_43eac9c1ac59d1f0\UserAccountControlSettings.exe"3⤵PID:2432
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-u..ountcontrolsettings_31bf3856ad364e35_10.0.19041.1_none_43eac9c1ac59d1f0\UserAccountControlSettings.exe"4⤵
- Possible privilege escalation attempt
PID:64 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-u..ountcontrolsettings_31bf3856ad364e35_10.0.19041.1_none_43eac9c1ac59d1f0\UserAccountControlSettings.exe" /grant "everyone":(f)4⤵PID:4760
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-u..ountcontrolsettings_31bf3856ad364e35_10.0.19041.423_none_6c05a0526bbe14de\UserAccountControlSettings.exe"3⤵PID:4308
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-u..ountcontrolsettings_31bf3856ad364e35_10.0.19041.423_none_6c05a0526bbe14de\UserAccountControlSettings.exe"4⤵PID:3164
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-u..ountcontrolsettings_31bf3856ad364e35_10.0.19041.423_none_6c05a0526bbe14de\UserAccountControlSettings.exe" /grant "everyone":(f)4⤵PID:3040
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.153_none_aa284d65c7bee591\f\upnpcont.exe"3⤵PID:2120
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.153_none_aa284d65c7bee591\f\upnpcont.exe"4⤵PID:388
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.153_none_aa284d65c7bee591\f\upnpcont.exe" /grant "everyone":(f)4⤵PID:5580
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.153_none_aa284d65c7bee591\r\upnpcont.exe"3⤵PID:5824
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.153_none_aa284d65c7bee591\r\upnpcont.exe"4⤵PID:2364
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.153_none_aa284d65c7bee591\r\upnpcont.exe" /grant "everyone":(f)4⤵PID:1064
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.153_none_aa284d65c7bee591\upnpcont.exe"3⤵PID:4280
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.153_none_aa284d65c7bee591\upnpcont.exe"4⤵PID:5080
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.153_none_aa284d65c7bee591\upnpcont.exe" /grant "everyone":(f)4⤵
- Modifies file permissions
PID:804 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.867_none_aa218bebc7c352ef\f\upnpcont.exe"3⤵PID:2784
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.867_none_aa218bebc7c352ef\f\upnpcont.exe"4⤵
- Modifies file permissions
PID:2300 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.867_none_aa218bebc7c352ef\f\upnpcont.exe" /grant "everyone":(f)4⤵PID:1460
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.867_none_aa218bebc7c352ef\r\upnpcont.exe"3⤵PID:1532
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.867_none_aa218bebc7c352ef\r\upnpcont.exe"4⤵PID:2240
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.867_none_aa218bebc7c352ef\r\upnpcont.exe" /grant "everyone":(f)4⤵PID:3948
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.867_none_aa218bebc7c352ef\upnpcont.exe"3⤵PID:2932
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.867_none_aa218bebc7c352ef\upnpcont.exe"4⤵PID:3176
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.867_none_aa218bebc7c352ef\upnpcont.exe" /grant "everyone":(f)4⤵PID:3232
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-usercpl-usermgrbroker_31bf3856ad364e35_10.0.19041.1_none_d6f1c935a875f141\UserAccountBroker.exe"3⤵PID:5776
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-usercpl-usermgrbroker_31bf3856ad364e35_10.0.19041.1_none_d6f1c935a875f141\UserAccountBroker.exe"4⤵PID:2448
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-usercpl-usermgrbroker_31bf3856ad364e35_10.0.19041.1_none_d6f1c935a875f141\UserAccountBroker.exe" /grant "everyone":(f)4⤵PID:3748
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-usercpl-usermgrbroker_31bf3856ad364e35_10.0.19041.746_none_fefa067e67e7af8b\f\UserAccountBroker.exe"3⤵PID:5560
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-usercpl-usermgrbroker_31bf3856ad364e35_10.0.19041.746_none_fefa067e67e7af8b\f\UserAccountBroker.exe"4⤵
- Modifies file permissions
PID:2380 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-usercpl-usermgrbroker_31bf3856ad364e35_10.0.19041.746_none_fefa067e67e7af8b\f\UserAccountBroker.exe" /grant "everyone":(f)4⤵PID:4468
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-usercpl-usermgrbroker_31bf3856ad364e35_10.0.19041.746_none_fefa067e67e7af8b\r\UserAccountBroker.exe"3⤵PID:5744
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-usercpl-usermgrbroker_31bf3856ad364e35_10.0.19041.746_none_fefa067e67e7af8b\r\UserAccountBroker.exe"4⤵PID:5968
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-usercpl-usermgrbroker_31bf3856ad364e35_10.0.19041.746_none_fefa067e67e7af8b\r\UserAccountBroker.exe" /grant "everyone":(f)4⤵PID:2908
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-usercpl-usermgrbroker_31bf3856ad364e35_10.0.19041.746_none_fefa067e67e7af8b\UserAccountBroker.exe"3⤵PID:4880
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-usercpl-usermgrbroker_31bf3856ad364e35_10.0.19041.746_none_fefa067e67e7af8b\UserAccountBroker.exe"4⤵PID:2212
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-usercpl-usermgrbroker_31bf3856ad364e35_10.0.19041.746_none_fefa067e67e7af8b\UserAccountBroker.exe" /grant "everyone":(f)4⤵PID:560
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-userinit_31bf3856ad364e35_10.0.19041.1_none_9c6e71eba56e4081\userinit.exe"3⤵PID:4404
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-userinit_31bf3856ad364e35_10.0.19041.1_none_9c6e71eba56e4081\userinit.exe"4⤵PID:2720
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-userinit_31bf3856ad364e35_10.0.19041.1_none_9c6e71eba56e4081\userinit.exe" /grant "everyone":(f)4⤵PID:736
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-utilman_31bf3856ad364e35_10.0.19041.1_none_c2ef67c504fb9748\Utilman.exe"3⤵PID:2912
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-utilman_31bf3856ad364e35_10.0.19041.1_none_c2ef67c504fb9748\Utilman.exe"4⤵PID:5256
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-utilman_31bf3856ad364e35_10.0.19041.1_none_c2ef67c504fb9748\Utilman.exe" /grant "everyone":(f)4⤵PID:3000
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-utilman_31bf3856ad364e35_10.0.19041.746_none_eaf7a50dc46d5592\f\Utilman.exe"3⤵PID:5916
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-utilman_31bf3856ad364e35_10.0.19041.746_none_eaf7a50dc46d5592\f\Utilman.exe"4⤵
- Possible privilege escalation attempt
PID:404 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-utilman_31bf3856ad364e35_10.0.19041.746_none_eaf7a50dc46d5592\f\Utilman.exe" /grant "everyone":(f)4⤵PID:4100
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-utilman_31bf3856ad364e35_10.0.19041.746_none_eaf7a50dc46d5592\r\Utilman.exe"3⤵PID:6088
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-utilman_31bf3856ad364e35_10.0.19041.746_none_eaf7a50dc46d5592\r\Utilman.exe"4⤵PID:3872
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-utilman_31bf3856ad364e35_10.0.19041.746_none_eaf7a50dc46d5592\r\Utilman.exe" /grant "everyone":(f)4⤵PID:4428
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-utilman_31bf3856ad364e35_10.0.19041.746_none_eaf7a50dc46d5592\Utilman.exe"3⤵PID:6076
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-utilman_31bf3856ad364e35_10.0.19041.746_none_eaf7a50dc46d5592\Utilman.exe"4⤵PID:3628
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-utilman_31bf3856ad364e35_10.0.19041.746_none_eaf7a50dc46d5592\Utilman.exe" /grant "everyone":(f)4⤵PID:4956
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-verclsid_31bf3856ad364e35_10.0.19041.1_none_7c2c890be7329496\verclsid.exe"3⤵PID:3276
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-verclsid_31bf3856ad364e35_10.0.19041.1_none_7c2c890be7329496\verclsid.exe"4⤵
- Possible privilege escalation attempt
PID:1584 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-verclsid_31bf3856ad364e35_10.0.19041.1_none_7c2c890be7329496\verclsid.exe" /grant "everyone":(f)4⤵PID:5196
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\f\WSManHTTPConfig.exe"3⤵PID:5860
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\f\WSManHTTPConfig.exe"4⤵PID:1968
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\f\WSManHTTPConfig.exe" /grant "everyone":(f)4⤵PID:1420
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\f\wsmprovhost.exe"3⤵PID:4916
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\f\wsmprovhost.exe"4⤵PID:5776
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\f\wsmprovhost.exe" /grant "everyone":(f)4⤵PID:4140
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\r\WSManHTTPConfig.exe"3⤵PID:208
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\r\WSManHTTPConfig.exe"4⤵PID:4372
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\r\WSManHTTPConfig.exe" /grant "everyone":(f)4⤵PID:5560
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\r\wsmprovhost.exe"3⤵PID:5948
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\r\wsmprovhost.exe"4⤵
- Modifies file permissions
PID:5960 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\r\wsmprovhost.exe" /grant "everyone":(f)4⤵PID:5744
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\WSManHTTPConfig.exe"3⤵PID:1644
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\WSManHTTPConfig.exe"4⤵
- Modifies file permissions
PID:2432 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\WSManHTTPConfig.exe" /grant "everyone":(f)4⤵PID:5492
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\wsmprovhost.exe"3⤵PID:6000
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\wsmprovhost.exe"4⤵PID:848
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\wsmprovhost.exe" /grant "everyone":(f)4⤵PID:4404
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1_none_8aab2d3580c614cb\WSManHTTPConfig.exe"3⤵PID:4976
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1_none_8aab2d3580c614cb\WSManHTTPConfig.exe"4⤵PID:3536
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1_none_8aab2d3580c614cb\WSManHTTPConfig.exe" /grant "everyone":(f)4⤵PID:2976
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1_none_8aab2d3580c614cb\wsmprovhost.exe"3⤵PID:4368
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1_none_8aab2d3580c614cb\wsmprovhost.exe"4⤵PID:5368
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1_none_8aab2d3580c614cb\wsmprovhost.exe" /grant "everyone":(f)4⤵PID:2364
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-w..ommand-line-utility_31bf3856ad364e35_10.0.19041.1_none_61ef8d34a0953a91\WMIC.exe"3⤵PID:5080
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-w..ommand-line-utility_31bf3856ad364e35_10.0.19041.1_none_61ef8d34a0953a91\WMIC.exe"4⤵PID:3872
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-w..ommand-line-utility_31bf3856ad364e35_10.0.19041.1_none_61ef8d34a0953a91\WMIC.exe" /grant "everyone":(f)4⤵PID:3968
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-w..sition-uicomponents_31bf3856ad364e35_10.0.19041.1151_none_4e193eb76ed5f8cb\f\wiaacmgr.exe"3⤵PID:996
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-w..sition-uicomponents_31bf3856ad364e35_10.0.19041.1151_none_4e193eb76ed5f8cb\f\wiaacmgr.exe"4⤵PID:5500
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-w..sition-uicomponents_31bf3856ad364e35_10.0.19041.1151_none_4e193eb76ed5f8cb\f\wiaacmgr.exe" /grant "everyone":(f)4⤵PID:1076
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-w..sition-uicomponents_31bf3856ad364e35_10.0.19041.1151_none_4e193eb76ed5f8cb\r\wiaacmgr.exe"3⤵PID:2240
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-w..sition-uicomponents_31bf3856ad364e35_10.0.19041.1151_none_4e193eb76ed5f8cb\r\wiaacmgr.exe"4⤵PID:2420
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-w..sition-uicomponents_31bf3856ad364e35_10.0.19041.1151_none_4e193eb76ed5f8cb\r\wiaacmgr.exe" /grant "everyone":(f)4⤵PID:2792
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-w..sition-uicomponents_31bf3856ad364e35_10.0.19041.1151_none_4e193eb76ed5f8cb\wiaacmgr.exe"3⤵PID:432
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-w..sition-uicomponents_31bf3856ad364e35_10.0.19041.1151_none_4e193eb76ed5f8cb\wiaacmgr.exe"4⤵PID:1420
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-w..sition-uicomponents_31bf3856ad364e35_10.0.19041.1151_none_4e193eb76ed5f8cb\wiaacmgr.exe" /grant "everyone":(f)4⤵PID:4200
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-w..sition-uicomponents_31bf3856ad364e35_10.0.19041.1_none_8f3a372b5909de8a\wiaacmgr.exe"3⤵PID:4228
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-w..sition-uicomponents_31bf3856ad364e35_10.0.19041.1_none_8f3a372b5909de8a\wiaacmgr.exe"4⤵PID:5544
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-w..sition-uicomponents_31bf3856ad364e35_10.0.19041.1_none_8f3a372b5909de8a\wiaacmgr.exe" /grant "everyone":(f)4⤵PID:5296
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-w..ter-cimprovider-exe_31bf3856ad364e35_10.0.19041.1_none_238f55dfbfb45941\Register-CimProvider.exe"3⤵PID:3220
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-w..ter-cimprovider-exe_31bf3856ad364e35_10.0.19041.1_none_238f55dfbfb45941\Register-CimProvider.exe"4⤵PID:5688
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-w..ter-cimprovider-exe_31bf3856ad364e35_10.0.19041.1_none_238f55dfbfb45941\Register-CimProvider.exe" /grant "everyone":(f)4⤵PID:5268
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-w..tnet-mua-hostserver_31bf3856ad364e35_10.0.19041.1_none_913591207b2aaf6f\WinRTNetMUAHostServer.exe"3⤵PID:3272
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-w..tnet-mua-hostserver_31bf3856ad364e35_10.0.19041.1_none_913591207b2aaf6f\WinRTNetMUAHostServer.exe"4⤵PID:5744
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-w..tnet-mua-hostserver_31bf3856ad364e35_10.0.19041.1_none_913591207b2aaf6f\WinRTNetMUAHostServer.exe" /grant "everyone":(f)4⤵
- Modifies file permissions
PID:6096 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-w..tnet-mua-hostserver_31bf3856ad364e35_10.0.19041.746_none_b93dce693a9c6db9\f\WinRTNetMUAHostServer.exe"3⤵PID:4688
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-w..tnet-mua-hostserver_31bf3856ad364e35_10.0.19041.746_none_b93dce693a9c6db9\f\WinRTNetMUAHostServer.exe"4⤵PID:4316
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-w..tnet-mua-hostserver_31bf3856ad364e35_10.0.19041.746_none_b93dce693a9c6db9\f\WinRTNetMUAHostServer.exe" /grant "everyone":(f)4⤵PID:3532
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-w..tnet-mua-hostserver_31bf3856ad364e35_10.0.19041.746_none_b93dce693a9c6db9\r\WinRTNetMUAHostServer.exe"3⤵PID:5856
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-w..tnet-mua-hostserver_31bf3856ad364e35_10.0.19041.746_none_b93dce693a9c6db9\r\WinRTNetMUAHostServer.exe"4⤵PID:5904
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-w..tnet-mua-hostserver_31bf3856ad364e35_10.0.19041.746_none_b93dce693a9c6db9\r\WinRTNetMUAHostServer.exe" /grant "everyone":(f)4⤵PID:5288
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-w..tnet-mua-hostserver_31bf3856ad364e35_10.0.19041.746_none_b93dce693a9c6db9\WinRTNetMUAHostServer.exe"3⤵PID:1796
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-w..tnet-mua-hostserver_31bf3856ad364e35_10.0.19041.746_none_b93dce693a9c6db9\WinRTNetMUAHostServer.exe"4⤵PID:4500
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-w..tnet-mua-hostserver_31bf3856ad364e35_10.0.19041.746_none_b93dce693a9c6db9\WinRTNetMUAHostServer.exe" /grant "everyone":(f)4⤵PID:6056
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-wab-app_31bf3856ad364e35_10.0.19041.1_none_02ef1556ab50e6d8\wab.exe"3⤵PID:5956
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-wab-app_31bf3856ad364e35_10.0.19041.1_none_02ef1556ab50e6d8\wab.exe"4⤵PID:2364
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-wab-app_31bf3856ad364e35_10.0.19041.1_none_02ef1556ab50e6d8\wab.exe" /grant "everyone":(f)4⤵
- Modifies file permissions
PID:6036 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-wab-app_31bf3856ad364e35_10.0.19041.1_none_02ef1556ab50e6d8\wabmig.exe"3⤵PID:5400
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-wab-app_31bf3856ad364e35_10.0.19041.1_none_02ef1556ab50e6d8\wabmig.exe"4⤵PID:5156
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-wab-app_31bf3856ad364e35_10.0.19041.1_none_02ef1556ab50e6d8\wabmig.exe" /grant "everyone":(f)4⤵PID:4304
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-waitfor_31bf3856ad364e35_10.0.19041.1_none_76ab6db74ef1e15e\waitfor.exe"3⤵PID:3396
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-waitfor_31bf3856ad364e35_10.0.19041.1_none_76ab6db74ef1e15e\waitfor.exe"4⤵PID:1076
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-waitfor_31bf3856ad364e35_10.0.19041.1_none_76ab6db74ef1e15e\waitfor.exe" /grant "everyone":(f)4⤵PID:2784
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-web-app-host_31bf3856ad364e35_10.0.19041.1_none_f2d57eada2c90ed3\WWAHost.exe"3⤵PID:5392
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-web-app-host_31bf3856ad364e35_10.0.19041.1_none_f2d57eada2c90ed3\WWAHost.exe"4⤵PID:1176
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-web-app-host_31bf3856ad364e35_10.0.19041.1_none_f2d57eada2c90ed3\WWAHost.exe" /grant "everyone":(f)4⤵PID:4900
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,11631536847596788406,1899128154349836251,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5312 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5960
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1704
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4012
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1520
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1100
-
C:\Users\Admin\Downloads\Bonzify.exe"C:\Users\Admin\Downloads\Bonzify.exe"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1216 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KillAgent.bat"2⤵
- System Location Discovery: System Language Discovery
PID:972 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im AgentSvr.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4992 -
C:\Windows\SysWOW64\takeown.exetakeown /r /d y /f C:\Windows\MsAgent3⤵
- System Location Discovery: System Language Discovery
PID:720 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\MsAgent /c /t /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
- System Location Discovery: System Language Discovery
PID:4100 -
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exeINSTALLER.exe /q2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2800 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentCtl.dll"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentDPv.dll"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5704 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\mslwvtts.dll"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3392 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentDP2.dll"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5824 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentMPx.dll"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5776 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentSR.dll"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5588 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentPsh.dll"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1384 -
C:\Windows\msagent\AgentSvr.exe"C:\Windows\msagent\AgentSvr.exe" /regserver3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4880 -
C:\Windows\SysWOW64\grpconv.exegrpconv.exe -o3⤵
- System Location Discovery: System Language Discovery
PID:1360 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-settingsynchost_31bf3856ad364e35_10.0.19041.1202_none_fef803c70cc0b37b\f\SettingSyncHost.exe"2⤵
- System Location Discovery: System Language Discovery
PID:5132 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-settingsynchost_31bf3856ad364e35_10.0.19041.1202_none_fef803c70cc0b37b\f\SettingSyncHost.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1704 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-settingsynchost_31bf3856ad364e35_10.0.19041.1202_none_fef803c70cc0b37b\f\SettingSyncHost.exe" /grant "everyone":(f)3⤵
- System Location Discovery: System Language Discovery
PID:5432 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-settingsynchost_31bf3856ad364e35_10.0.19041.1202_none_fef803c70cc0b37b\r\SettingSyncHost.exe"2⤵
- System Location Discovery: System Language Discovery
PID:4424 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-settingsynchost_31bf3856ad364e35_10.0.19041.1202_none_fef803c70cc0b37b\r\SettingSyncHost.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2960 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-settingsynchost_31bf3856ad364e35_10.0.19041.1202_none_fef803c70cc0b37b\r\SettingSyncHost.exe" /grant "everyone":(f)3⤵
- System Location Discovery: System Language Discovery
PID:5748 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-settingsynchost_31bf3856ad364e35_10.0.19041.1202_none_fef803c70cc0b37b\SettingSyncHost.exe"2⤵
- System Location Discovery: System Language Discovery
PID:5828 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-settingsynchost_31bf3856ad364e35_10.0.19041.1202_none_fef803c70cc0b37b\SettingSyncHost.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5252 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-settingsynchost_31bf3856ad364e35_10.0.19041.1202_none_fef803c70cc0b37b\SettingSyncHost.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
- System Location Discovery: System Language Discovery
PID:1344 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-settingsynchost_31bf3856ad364e35_10.0.19041.1_none_4028e460f6e7e25b\SettingSyncHost.exe"2⤵PID:5988
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-settingsynchost_31bf3856ad364e35_10.0.19041.1_none_4028e460f6e7e25b\SettingSyncHost.exe"3⤵PID:5520
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-settingsynchost_31bf3856ad364e35_10.0.19041.1_none_4028e460f6e7e25b\SettingSyncHost.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
PID:2972 -
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exeINSTALLER.exe /q2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6128 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentCtl.dll"3⤵PID:5360
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentDPv.dll"3⤵PID:5424
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\mslwvtts.dll"3⤵PID:5408
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentDP2.dll"3⤵PID:1628
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentMPx.dll"3⤵PID:5612
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentSR.dll"3⤵PID:4432
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentPsh.dll"3⤵PID:5012
-
C:\Windows\msagent\AgentSvr.exe"C:\Windows\msagent\AgentSvr.exe" /regserver3⤵PID:5764
-
C:\Windows\SysWOW64\grpconv.exegrpconv.exe -o3⤵PID:6120
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_b40cbfe2afd2c015\f\wowreg32.exe"2⤵PID:5292
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_b40cbfe2afd2c015\f\wowreg32.exe"3⤵PID:5544
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_b40cbfe2afd2c015\f\wowreg32.exe" /grant "everyone":(f)3⤵PID:5412
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_b40cbfe2afd2c015\r\wowreg32.exe"2⤵PID:4796
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_b40cbfe2afd2c015\r\wowreg32.exe"3⤵PID:1364
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_b40cbfe2afd2c015\r\wowreg32.exe" /grant "everyone":(f)3⤵PID:3232
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_b40cbfe2afd2c015\wowreg32.exe"2⤵PID:5336
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_b40cbfe2afd2c015\wowreg32.exe"3⤵PID:1092
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_b40cbfe2afd2c015\wowreg32.exe" /grant "everyone":(f)3⤵PID:372
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1_none_f53b118699fc22cb\wowreg32.exe"2⤵PID:4452
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1_none_f53b118699fc22cb\wowreg32.exe"3⤵PID:3508
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1_none_f53b118699fc22cb\wowreg32.exe" /grant "everyone":(f)3⤵PID:4608
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-setx_31bf3856ad364e35_10.0.19041.1_none_6cbc8da4ecceab64\setx.exe"2⤵PID:1520
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-setx_31bf3856ad364e35_10.0.19041.1_none_6cbc8da4ecceab64\setx.exe"3⤵PID:4500
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-setx_31bf3856ad364e35_10.0.19041.1_none_6cbc8da4ecceab64\setx.exe" /grant "everyone":(f)3⤵PID:5200
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.1_none_c513167c1d0a90dd\icsunattend.exe"2⤵PID:5256
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.1_none_c513167c1d0a90dd\icsunattend.exe"3⤵PID:2112
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.1_none_c513167c1d0a90dd\icsunattend.exe" /grant "everyone":(f)3⤵PID:776
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_7862ecae0548fb54\shrpubw.exe"2⤵PID:2652
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_7862ecae0548fb54\shrpubw.exe"3⤵
- Possible privilege escalation attempt
PID:1848 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_7862ecae0548fb54\shrpubw.exe" /grant "everyone":(f)3⤵PID:1032
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_a06b29f6c4bab99e\shrpubw.exe"2⤵PID:2932
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_a06b29f6c4bab99e\shrpubw.exe"3⤵PID:1924
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_a06b29f6c4bab99e\shrpubw.exe" /grant "everyone":(f)3⤵PID:5364
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.1_none_03831cf8d49cee55\prevhost.exe"2⤵PID:2972
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.1_none_03831cf8d49cee55\prevhost.exe"3⤵PID:5148
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.1_none_03831cf8d49cee55\prevhost.exe" /grant "everyone":(f)3⤵PID:5532
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2b8b5a41940eac9f\f\prevhost.exe"2⤵PID:5688
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2b8b5a41940eac9f\f\prevhost.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5624 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2b8b5a41940eac9f\f\prevhost.exe" /grant "everyone":(f)3⤵PID:432
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2b8b5a41940eac9f\prevhost.exe"2⤵PID:1824
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2b8b5a41940eac9f\prevhost.exe"3⤵PID:5772
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2b8b5a41940eac9f\prevhost.exe" /grant "everyone":(f)3⤵PID:424
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2b8b5a41940eac9f\r\prevhost.exe"2⤵PID:5816
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2b8b5a41940eac9f\r\prevhost.exe"3⤵PID:5808
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2b8b5a41940eac9f\r\prevhost.exe" /grant "everyone":(f)3⤵PID:5776
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-shutdown-event-tracker_31bf3856ad364e35_10.0.19041.1_none_c319cf869bb64064\shutdown.exe"2⤵PID:2284
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-shutdown-event-tracker_31bf3856ad364e35_10.0.19041.1_none_c319cf869bb64064\shutdown.exe"3⤵
- Possible privilege escalation attempt
PID:4396 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-shutdown-event-tracker_31bf3856ad364e35_10.0.19041.1_none_c319cf869bb64064\shutdown.exe" /grant "everyone":(f)3⤵PID:1200
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-sort_31bf3856ad364e35_10.0.19041.1_none_6c03db28ed4132dc\sort.exe"2⤵PID:5496
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-sort_31bf3856ad364e35_10.0.19041.1_none_6c03db28ed4132dc\sort.exe"3⤵PID:5288
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-sort_31bf3856ad364e35_10.0.19041.1_none_6c03db28ed4132dc\sort.exe" /grant "everyone":(f)3⤵PID:4176
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_f28ba6a10743aebc\f\SpeechModelDownload.exe"2⤵PID:6064
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_f28ba6a10743aebc\f\SpeechModelDownload.exe"3⤵PID:848
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_f28ba6a10743aebc\f\SpeechModelDownload.exe" /grant "everyone":(f)3⤵PID:5764
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_f28ba6a10743aebc\r\SpeechModelDownload.exe"2⤵PID:2644
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_f28ba6a10743aebc\r\SpeechModelDownload.exe"3⤵PID:6040
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_f28ba6a10743aebc\r\SpeechModelDownload.exe" /grant "everyone":(f)3⤵PID:2492
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_f28ba6a10743aebc\SpeechModelDownload.exe"2⤵PID:4268
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_f28ba6a10743aebc\SpeechModelDownload.exe"3⤵PID:4780
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_f28ba6a10743aebc\SpeechModelDownload.exe" /grant "everyone":(f)3⤵PID:6124
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.264_none_5b8f61a9b1063622\SpeechModelDownload.exe"2⤵PID:4676
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.264_none_5b8f61a9b1063622\SpeechModelDownload.exe"3⤵
- Possible privilege escalation attempt
PID:3164 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.264_none_5b8f61a9b1063622\SpeechModelDownload.exe" /grant "everyone":(f)3⤵PID:4416
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-srdelayed_31bf3856ad364e35_10.0.19041.1_none_16a30fa92fe5e343\srdelayed.exe"2⤵PID:5860
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-srdelayed_31bf3856ad364e35_10.0.19041.1_none_16a30fa92fe5e343\srdelayed.exe"3⤵PID:5364
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-srdelayed_31bf3856ad364e35_10.0.19041.1_none_16a30fa92fe5e343\srdelayed.exe" /grant "everyone":(f)3⤵PID:2932
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-storage-diagnostics_31bf3856ad364e35_10.0.19041.1_none_34f70c73dc049744\stordiag.exe"2⤵PID:5232
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-storage-diagnostics_31bf3856ad364e35_10.0.19041.1_none_34f70c73dc049744\stordiag.exe"3⤵
- Modifies file permissions
PID:5224 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-storage-diagnostics_31bf3856ad364e35_10.0.19041.1_none_34f70c73dc049744\stordiag.exe" /grant "everyone":(f)3⤵PID:5376
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.1_none_29c6c4eed050af59\SyncHost.exe"2⤵PID:4248
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.1_none_29c6c4eed050af59\SyncHost.exe"3⤵PID:5040
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.1_none_29c6c4eed050af59\SyncHost.exe" /grant "everyone":(f)3⤵PID:5688
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_51cf02378fc26da3\f\SyncHost.exe"2⤵PID:5744
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_51cf02378fc26da3\f\SyncHost.exe"3⤵PID:5144
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_51cf02378fc26da3\f\SyncHost.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
PID:6084 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_51cf02378fc26da3\r\SyncHost.exe"2⤵PID:4820
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_51cf02378fc26da3\r\SyncHost.exe"3⤵PID:5776
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_51cf02378fc26da3\r\SyncHost.exe" /grant "everyone":(f)3⤵
- Modifies file permissions
PID:3232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_51cf02378fc26da3\SyncHost.exe"2⤵PID:5252
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_51cf02378fc26da3\SyncHost.exe"3⤵PID:1200
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_51cf02378fc26da3\SyncHost.exe" /grant "everyone":(f)3⤵PID:5800
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-sysinfo_31bf3856ad364e35_10.0.19041.1_none_af9a68f0cc4d15fb\systeminfo.exe"2⤵PID:1616
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-sysinfo_31bf3856ad364e35_10.0.19041.1_none_af9a68f0cc4d15fb\systeminfo.exe"3⤵PID:6000
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-sysinfo_31bf3856ad364e35_10.0.19041.1_none_af9a68f0cc4d15fb\systeminfo.exe" /grant "everyone":(f)3⤵
- Modifies file permissions
PID:5948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_551afa5edf8be30e\SystemPropertiesRemote.exe"2⤵PID:5496
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_551afa5edf8be30e\SystemPropertiesRemote.exe"3⤵
- Possible privilege escalation attempt
PID:2212 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_551afa5edf8be30e\SystemPropertiesRemote.exe" /grant "everyone":(f)3⤵PID:4424
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-systray_31bf3856ad364e35_10.0.19041.1_none_b39734a8c9c85bd3\systray.exe"2⤵PID:4404
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-systray_31bf3856ad364e35_10.0.19041.1_none_b39734a8c9c85bd3\systray.exe"3⤵PID:5992
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-systray_31bf3856ad364e35_10.0.19041.1_none_b39734a8c9c85bd3\systray.exe" /grant "everyone":(f)3⤵PID:6032
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..acyinkingcomponents_31bf3856ad364e35_10.0.19041.1_none_023783a15d5391a7\pipanel.exe"2⤵PID:5792
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..acyinkingcomponents_31bf3856ad364e35_10.0.19041.1_none_023783a15d5391a7\pipanel.exe"3⤵
- Modifies file permissions
PID:4780 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..acyinkingcomponents_31bf3856ad364e35_10.0.19041.1_none_023783a15d5391a7\pipanel.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
PID:2648 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_10.0.19041.1_none_5d7644a9644fd29d\ctfmon.exe"2⤵PID:6116
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_10.0.19041.1_none_5d7644a9644fd29d\ctfmon.exe"3⤵
- Possible privilege escalation attempt
PID:2044 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_10.0.19041.1_none_5d7644a9644fd29d\ctfmon.exe" /grant "everyone":(f)3⤵PID:6092
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.1_none_24a9c1e1e1b0f793\ttdinject.exe"2⤵PID:4416
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.1_none_24a9c1e1e1b0f793\ttdinject.exe"3⤵
- Modifies file permissions
PID:2760 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.1_none_24a9c1e1e1b0f793\ttdinject.exe" /grant "everyone":(f)3⤵PID:4200
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.1_none_24a9c1e1e1b0f793\tttracer.exe"2⤵PID:5196
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.1_none_24a9c1e1e1b0f793\tttracer.exe"3⤵PID:5632
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.1_none_24a9c1e1e1b0f793\tttracer.exe" /grant "everyone":(f)3⤵PID:5436
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_4cb1ff2aa122b5dd\f\tttracer.exe"2⤵PID:2960
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_4cb1ff2aa122b5dd\f\tttracer.exe"3⤵PID:5292
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_4cb1ff2aa122b5dd\f\tttracer.exe" /grant "everyone":(f)3⤵PID:3276
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_4cb1ff2aa122b5dd\r\tttracer.exe"2⤵PID:5440
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_4cb1ff2aa122b5dd\r\tttracer.exe"3⤵PID:5468
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_4cb1ff2aa122b5dd\r\tttracer.exe" /grant "everyone":(f)3⤵PID:400
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_4cb1ff2aa122b5dd\ttdinject.exe"2⤵PID:5748
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_4cb1ff2aa122b5dd\ttdinject.exe"3⤵PID:4308
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_4cb1ff2aa122b5dd\ttdinject.exe" /grant "everyone":(f)3⤵PID:5820
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_4cb1ff2aa122b5dd\tttracer.exe"2⤵PID:1644
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_4cb1ff2aa122b5dd\tttracer.exe"3⤵PID:5968
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_4cb1ff2aa122b5dd\tttracer.exe" /grant "everyone":(f)3⤵PID:5216
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\change.exe"2⤵PID:4880
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\change.exe"3⤵PID:5092
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\change.exe" /grant "everyone":(f)3⤵PID:5528
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\chglogon.exe"2⤵PID:2752
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\chglogon.exe"3⤵
- Possible privilege escalation attempt
PID:5300 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\chglogon.exe" /grant "everyone":(f)3⤵
- Modifies file permissions
PID:4608 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\chgport.exe"2⤵PID:4320
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\chgport.exe"3⤵PID:6052
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\chgport.exe" /grant "everyone":(f)3⤵PID:6012
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\chgusr.exe"2⤵PID:5824
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\chgusr.exe"3⤵PID:6048
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\chgusr.exe" /grant "everyone":(f)3⤵PID:4780
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\logoff.exe"2⤵PID:1068
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\logoff.exe"3⤵PID:5896
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\logoff.exe" /grant "everyone":(f)3⤵PID:1516
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\qappsrv.exe"2⤵PID:4268
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\qappsrv.exe"3⤵PID:3164
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\qappsrv.exe" /grant "everyone":(f)3⤵PID:5980
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\qprocess.exe"2⤵PID:4416
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\qprocess.exe"3⤵PID:1832
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\qprocess.exe" /grant "everyone":(f)3⤵PID:6120
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\query.exe"2⤵PID:5392
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\query.exe"3⤵PID:5224
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\query.exe" /grant "everyone":(f)3⤵PID:5424
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\reset.exe"2⤵PID:3456
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\reset.exe"3⤵PID:1584
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\reset.exe" /grant "everyone":(f)3⤵PID:400
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\rwinsta.exe"2⤵PID:3392
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\rwinsta.exe"3⤵PID:1364
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\rwinsta.exe" /grant "everyone":(f)3⤵PID:5832
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\tscon.exe"2⤵PID:216
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\tscon.exe"3⤵PID:5124
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\tscon.exe" /grant "everyone":(f)3⤵PID:5336
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\tsdiscon.exe"2⤵PID:1644
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\tsdiscon.exe"3⤵PID:5280
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\tsdiscon.exe" /grant "everyone":(f)3⤵PID:1648
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\tskill.exe"2⤵PID:5788
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\tskill.exe"3⤵PID:5924
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\tskill.exe" /grant "everyone":(f)3⤵PID:6100
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_ccf6cb6d0aa9a822\f\mstsc.exe"2⤵PID:3536
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_ccf6cb6d0aa9a822\f\mstsc.exe"3⤵PID:6012
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_ccf6cb6d0aa9a822\f\mstsc.exe" /grant "everyone":(f)3⤵PID:4424
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_ccf6cb6d0aa9a822\mstsc.exe"2⤵PID:5648
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_ccf6cb6d0aa9a822\mstsc.exe"3⤵PID:4092
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_ccf6cb6d0aa9a822\mstsc.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
PID:3680 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_ccf6cb6d0aa9a822\r\mstsc.exe"2⤵PID:3872
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_ccf6cb6d0aa9a822\r\mstsc.exe"3⤵PID:2360
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_ccf6cb6d0aa9a822\r\mstsc.exe" /grant "everyone":(f)3⤵PID:3000
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1_none_0e22056af4d5d874\mstsc.exe"2⤵PID:804
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1_none_0e22056af4d5d874\mstsc.exe"3⤵PID:5980
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1_none_0e22056af4d5d874\mstsc.exe" /grant "everyone":(f)3⤵PID:5884
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..onagent-proxyobject_31bf3856ad364e35_10.0.19041.1_none_23bb28d0952bcec8\RdpSaProxy.exe"2⤵PID:6116
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..onagent-proxyobject_31bf3856ad364e35_10.0.19041.1_none_23bb28d0952bcec8\RdpSaProxy.exe"3⤵PID:3064
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..onagent-proxyobject_31bf3856ad364e35_10.0.19041.1_none_23bb28d0952bcec8\RdpSaProxy.exe" /grant "everyone":(f)3⤵PID:116
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..rvices-sessionagent_31bf3856ad364e35_10.0.19041.1_none_3b97be772075a03a\RdpSa.exe"2⤵PID:4804
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..rvices-sessionagent_31bf3856ad364e35_10.0.19041.1_none_3b97be772075a03a\RdpSa.exe"3⤵PID:4228
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..rvices-sessionagent_31bf3856ad364e35_10.0.19041.1_none_3b97be772075a03a\RdpSa.exe" /grant "everyone":(f)3⤵PID:5448
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-t..sionagent-uachelper_31bf3856ad364e35_10.0.19041.1_none_7aff9045397d4a4c\RdpSaUacHelper.exe"2⤵PID:4740
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-t..sionagent-uachelper_31bf3856ad364e35_10.0.19041.1_none_7aff9045397d4a4c\RdpSaUacHelper.exe"3⤵PID:5772
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-t..sionagent-uachelper_31bf3856ad364e35_10.0.19041.1_none_7aff9045397d4a4c\RdpSaUacHelper.exe" /grant "everyone":(f)3⤵PID:4720
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.1_none_d1d4cd9c4b409594\TabTip32.exe"2⤵PID:3456
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.1_none_d1d4cd9c4b409594\TabTip32.exe"3⤵PID:5560
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.1_none_d1d4cd9c4b409594\TabTip32.exe" /grant "everyone":(f)3⤵PID:2780
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-takeown_31bf3856ad364e35_10.0.19041.1_none_ba311d9fe95c6271\takeown.exe"2⤵PID:3748
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-takeown_31bf3856ad364e35_10.0.19041.1_none_ba311d9fe95c6271\takeown.exe"3⤵
- Possible privilege escalation attempt
PID:5216 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-takeown_31bf3856ad364e35_10.0.19041.1_none_ba311d9fe95c6271\takeown.exe" /grant "everyone":(f)3⤵PID:216
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tapicore_31bf3856ad364e35_10.0.19041.1_none_a47f90601a54e2cd\dialer.exe"2⤵PID:5564
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tapicore_31bf3856ad364e35_10.0.19041.1_none_a47f90601a54e2cd\dialer.exe"3⤵PID:3424
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tapicore_31bf3856ad364e35_10.0.19041.1_none_a47f90601a54e2cd\dialer.exe" /grant "everyone":(f)3⤵PID:1644
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tapisetup_31bf3856ad364e35_10.0.19041.1_none_2a38e2996ee84e57\TapiUnattend.exe"2⤵PID:372
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tapisetup_31bf3856ad364e35_10.0.19041.1_none_2a38e2996ee84e57\TapiUnattend.exe"3⤵PID:5900
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tapisetup_31bf3856ad364e35_10.0.19041.1_none_2a38e2996ee84e57\TapiUnattend.exe" /grant "everyone":(f)3⤵PID:4816
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tapisetup_31bf3856ad364e35_10.0.19041.746_none_52411fe22e5a0ca1\TapiUnattend.exe"2⤵PID:1796
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tapisetup_31bf3856ad364e35_10.0.19041.746_none_52411fe22e5a0ca1\TapiUnattend.exe"3⤵PID:2724
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tapisetup_31bf3856ad364e35_10.0.19041.746_none_52411fe22e5a0ca1\TapiUnattend.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
PID:4424 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-taskkill_31bf3856ad364e35_10.0.19041.1_none_e5c3b6db2fced475\taskkill.exe"2⤵PID:5180
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-taskkill_31bf3856ad364e35_10.0.19041.1_none_e5c3b6db2fced475\taskkill.exe"3⤵PID:1920
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-taskkill_31bf3856ad364e35_10.0.19041.1_none_e5c3b6db2fced475\taskkill.exe" /grant "everyone":(f)3⤵PID:6044
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tasklist_31bf3856ad364e35_10.0.19041.1_none_e888ea072e0fed05\tasklist.exe"2⤵PID:4304
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tasklist_31bf3856ad364e35_10.0.19041.1_none_e888ea072e0fed05\tasklist.exe"3⤵PID:1064
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tasklist_31bf3856ad364e35_10.0.19041.1_none_e888ea072e0fed05\tasklist.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\ARP.EXE"2⤵PID:5156
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\ARP.EXE"3⤵PID:1576
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\ARP.EXE" /grant "everyone":(f)3⤵PID:384
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\finger.exe"2⤵PID:2372
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\finger.exe"3⤵PID:4900
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\finger.exe" /grant "everyone":(f)3⤵PID:3396
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\HOSTNAME.EXE"2⤵PID:1076
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\HOSTNAME.EXE"3⤵
- Modifies file permissions
PID:3032 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\HOSTNAME.EXE" /grant "everyone":(f)3⤵PID:5408
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\MRINFO.EXE"2⤵PID:5984
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\MRINFO.EXE"3⤵
- Possible privilege escalation attempt
PID:4228 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\MRINFO.EXE" /grant "everyone":(f)3⤵PID:4272
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\NETSTAT.EXE"2⤵PID:3176
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\NETSTAT.EXE"3⤵PID:5604
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\NETSTAT.EXE" /grant "everyone":(f)3⤵PID:4232
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\ROUTE.EXE"2⤵PID:2368
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\ROUTE.EXE"3⤵PID:5336
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\ROUTE.EXE" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
PID:3748 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\TCPSVCS.EXE"2⤵PID:4308
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\TCPSVCS.EXE"3⤵PID:4552
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-utility_31bf3856ad364e35_10.0.19041.1_none_f30cab80229c6b29\TCPSVCS.EXE" /grant "everyone":(f)3⤵PID:5280
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.1_none_21cb4db26317f32e\netiougc.exe"2⤵PID:1804
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.1_none_21cb4db26317f32e\netiougc.exe"3⤵PID:5892
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.1_none_21cb4db26317f32e\netiougc.exe" /grant "everyone":(f)3⤵PID:5856
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.746_none_49d38afb2289b178\f\netiougc.exe"2⤵PID:4396
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.746_none_49d38afb2289b178\f\netiougc.exe"3⤵PID:2976
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.746_none_49d38afb2289b178\f\netiougc.exe" /grant "everyone":(f)3⤵PID:5908
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.746_none_49d38afb2289b178\netiougc.exe"2⤵PID:2032
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.746_none_49d38afb2289b178\netiougc.exe"3⤵PID:4760
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.746_none_49d38afb2289b178\netiougc.exe" /grant "everyone":(f)3⤵PID:776
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.746_none_49d38afb2289b178\r\netiougc.exe"2⤵PID:6036
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.746_none_49d38afb2289b178\r\netiougc.exe"3⤵PID:2652
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.746_none_49d38afb2289b178\r\netiougc.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
PID:4944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-terminalservices-theme_31bf3856ad364e35_10.0.19041.1_none_962bc7b24e8d9f3a\TSTheme.exe"2⤵PID:4732
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-terminalservices-theme_31bf3856ad364e35_10.0.19041.1_none_962bc7b24e8d9f3a\TSTheme.exe"3⤵PID:4900
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-terminalservices-theme_31bf3856ad364e35_10.0.19041.1_none_962bc7b24e8d9f3a\TSTheme.exe" /grant "everyone":(f)3⤵PID:4776
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-terminalservices-theme_31bf3856ad364e35_10.0.19041.746_none_be3404fb0dff5d84\f\TSTheme.exe"2⤵PID:6080
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-terminalservices-theme_31bf3856ad364e35_10.0.19041.746_none_be3404fb0dff5d84\f\TSTheme.exe"3⤵PID:5500
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-terminalservices-theme_31bf3856ad364e35_10.0.19041.746_none_be3404fb0dff5d84\f\TSTheme.exe" /grant "everyone":(f)3⤵PID:1428
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-terminalservices-theme_31bf3856ad364e35_10.0.19041.746_none_be3404fb0dff5d84\r\TSTheme.exe"2⤵PID:4852
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-terminalservices-theme_31bf3856ad364e35_10.0.19041.746_none_be3404fb0dff5d84\r\TSTheme.exe"3⤵PID:4804
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-terminalservices-theme_31bf3856ad364e35_10.0.19041.746_none_be3404fb0dff5d84\r\TSTheme.exe" /grant "everyone":(f)3⤵PID:5040
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-terminalservices-theme_31bf3856ad364e35_10.0.19041.746_none_be3404fb0dff5d84\TSTheme.exe"2⤵PID:4916
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-terminalservices-theme_31bf3856ad364e35_10.0.19041.746_none_be3404fb0dff5d84\TSTheme.exe"3⤵PID:2116
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-terminalservices-theme_31bf3856ad364e35_10.0.19041.746_none_be3404fb0dff5d84\TSTheme.exe" /grant "everyone":(f)3⤵PID:5460
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-thumbexthost_31bf3856ad364e35_10.0.19041.1_none_b0b2b0b01128fbbb\ThumbnailExtractionHost.exe"2⤵PID:5804
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-thumbexthost_31bf3856ad364e35_10.0.19041.1_none_b0b2b0b01128fbbb\ThumbnailExtractionHost.exe"3⤵PID:5536
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-thumbexthost_31bf3856ad364e35_10.0.19041.1_none_b0b2b0b01128fbbb\ThumbnailExtractionHost.exe" /grant "everyone":(f)3⤵PID:5132
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-thumbexthost_31bf3856ad364e35_10.0.19041.746_none_d8baedf8d09aba05\f\ThumbnailExtractionHost.exe"2⤵PID:5184
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-thumbexthost_31bf3856ad364e35_10.0.19041.746_none_d8baedf8d09aba05\f\ThumbnailExtractionHost.exe"3⤵
- Modifies file permissions
PID:1648 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-thumbexthost_31bf3856ad364e35_10.0.19041.746_none_d8baedf8d09aba05\f\ThumbnailExtractionHost.exe" /grant "everyone":(f)3⤵PID:5528
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-thumbexthost_31bf3856ad364e35_10.0.19041.746_none_d8baedf8d09aba05\r\ThumbnailExtractionHost.exe"2⤵PID:4820
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-thumbexthost_31bf3856ad364e35_10.0.19041.746_none_d8baedf8d09aba05\r\ThumbnailExtractionHost.exe"3⤵PID:3356
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-thumbexthost_31bf3856ad364e35_10.0.19041.746_none_d8baedf8d09aba05\r\ThumbnailExtractionHost.exe" /grant "everyone":(f)3⤵
- Modifies file permissions
PID:372 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-thumbexthost_31bf3856ad364e35_10.0.19041.746_none_d8baedf8d09aba05\ThumbnailExtractionHost.exe"2⤵PID:3040
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-thumbexthost_31bf3856ad364e35_10.0.19041.746_none_d8baedf8d09aba05\ThumbnailExtractionHost.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4816 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-thumbexthost_31bf3856ad364e35_10.0.19041.746_none_d8baedf8d09aba05\ThumbnailExtractionHost.exe" /grant "everyone":(f)3⤵PID:5204
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-time-tool_31bf3856ad364e35_10.0.19041.1_none_ad4ed32c0facc27c\w32tm.exe"2⤵PID:1904
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-time-tool_31bf3856ad364e35_10.0.19041.1_none_ad4ed32c0facc27c\w32tm.exe"3⤵PID:4500
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-time-tool_31bf3856ad364e35_10.0.19041.1_none_ad4ed32c0facc27c\w32tm.exe" /grant "everyone":(f)3⤵PID:2492
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-timeout_31bf3856ad364e35_10.0.19041.1_none_4caa24969a02f9c3\timeout.exe"2⤵PID:5792
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-timeout_31bf3856ad364e35_10.0.19041.1_none_4caa24969a02f9c3\timeout.exe"3⤵PID:1520
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-timeout_31bf3856ad364e35_10.0.19041.1_none_4caa24969a02f9c3\timeout.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
PID:1704 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tpm-adminsnapin_31bf3856ad364e35_10.0.19041.1_none_37c2cec4b2ff6c9c\TpmInit.exe"2⤵PID:4428
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tpm-adminsnapin_31bf3856ad364e35_10.0.19041.1_none_37c2cec4b2ff6c9c\TpmInit.exe"3⤵PID:2364
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tpm-adminsnapin_31bf3856ad364e35_10.0.19041.1_none_37c2cec4b2ff6c9c\TpmInit.exe" /grant "everyone":(f)3⤵PID:6072
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.19041.1202_none_7d4ea219d613c9d8\f\TpmTool.exe"2⤵PID:4676
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.19041.1202_none_7d4ea219d613c9d8\f\TpmTool.exe"3⤵PID:2784
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.19041.1202_none_7d4ea219d613c9d8\f\TpmTool.exe" /grant "everyone":(f)3⤵PID:4732
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.19041.1202_none_7d4ea219d613c9d8\r\TpmTool.exe"2⤵PID:3032
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.19041.1202_none_7d4ea219d613c9d8\r\TpmTool.exe"3⤵PID:2932
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.19041.1202_none_7d4ea219d613c9d8\r\TpmTool.exe" /grant "everyone":(f)3⤵PID:5360
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.19041.1202_none_7d4ea219d613c9d8\TpmTool.exe"2⤵PID:5708
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.19041.1202_none_7d4ea219d613c9d8\TpmTool.exe"3⤵PID:5860
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.19041.1202_none_7d4ea219d613c9d8\TpmTool.exe" /grant "everyone":(f)3⤵PID:2972
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.19041.1_none_be7f82b3c03af8b8\TpmTool.exe"2⤵PID:5560
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.19041.1_none_be7f82b3c03af8b8\TpmTool.exe"3⤵PID:2388
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.19041.1_none_be7f82b3c03af8b8\TpmTool.exe" /grant "everyone":(f)3⤵PID:5192
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-twinui_31bf3856ad364e35_10.0.19041.1202_none_f2bc4eeca2f84338\f\LaunchWinApp.exe"2⤵PID:5336
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-twinui_31bf3856ad364e35_10.0.19041.1202_none_f2bc4eeca2f84338\f\LaunchWinApp.exe"3⤵PID:2780
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-twinui_31bf3856ad364e35_10.0.19041.1202_none_f2bc4eeca2f84338\f\LaunchWinApp.exe" /grant "everyone":(f)3⤵PID:5216
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-twinui_31bf3856ad364e35_10.0.19041.1202_none_f2bc4eeca2f84338\LaunchWinApp.exe"2⤵PID:3576
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-twinui_31bf3856ad364e35_10.0.19041.1202_none_f2bc4eeca2f84338\LaunchWinApp.exe"3⤵PID:4880
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-twinui_31bf3856ad364e35_10.0.19041.1202_none_f2bc4eeca2f84338\LaunchWinApp.exe" /grant "everyone":(f)3⤵PID:2908
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-twinui_31bf3856ad364e35_10.0.19041.1202_none_f2bc4eeca2f84338\r\LaunchWinApp.exe"2⤵PID:4460
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-twinui_31bf3856ad364e35_10.0.19041.1202_none_f2bc4eeca2f84338\r\LaunchWinApp.exe"3⤵
- Possible privilege escalation attempt
PID:4312 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-twinui_31bf3856ad364e35_10.0.19041.1202_none_f2bc4eeca2f84338\r\LaunchWinApp.exe" /grant "everyone":(f)3⤵PID:4424
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-twinui_31bf3856ad364e35_10.0.19041.264_none_5bddc2e54ca343d3\LaunchWinApp.exe"2⤵PID:1804
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-twinui_31bf3856ad364e35_10.0.19041.264_none_5bddc2e54ca343d3\LaunchWinApp.exe"3⤵PID:5288
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-twinui_31bf3856ad364e35_10.0.19041.264_none_5bddc2e54ca343d3\LaunchWinApp.exe" /grant "everyone":(f)3⤵PID:2976
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-tzutil_31bf3856ad364e35_10.0.19041.1_none_f4898caed6e558be\tzutil.exe"2⤵PID:4092
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-tzutil_31bf3856ad364e35_10.0.19041.1_none_f4898caed6e558be\tzutil.exe"3⤵PID:1616
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-tzutil_31bf3856ad364e35_10.0.19041.1_none_f4898caed6e558be\tzutil.exe" /grant "everyone":(f)3⤵PID:3128
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-u..etry-client-wowonly_31bf3856ad364e35_10.0.19041.1_none_4c7da197e5837576\dtdump.exe"2⤵PID:2396
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-u..etry-client-wowonly_31bf3856ad364e35_10.0.19041.1_none_4c7da197e5837576\dtdump.exe"3⤵PID:3988
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-u..etry-client-wowonly_31bf3856ad364e35_10.0.19041.1_none_4c7da197e5837576\dtdump.exe" /grant "everyone":(f)3⤵PID:5824
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-u..etry-client-wowonly_31bf3856ad364e35_10.0.19041.662_none_746c3bfaa509091f\dtdump.exe"2⤵PID:3872
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-u..etry-client-wowonly_31bf3856ad364e35_10.0.19041.662_none_746c3bfaa509091f\dtdump.exe"3⤵PID:5348
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-u..etry-client-wowonly_31bf3856ad364e35_10.0.19041.662_none_746c3bfaa509091f\dtdump.exe" /grant "everyone":(f)3⤵PID:5368
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-u..etry-client-wowonly_31bf3856ad364e35_10.0.19041.662_none_746c3bfaa509091f\f\dtdump.exe"2⤵PID:4732
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-u..etry-client-wowonly_31bf3856ad364e35_10.0.19041.662_none_746c3bfaa509091f\f\dtdump.exe"3⤵PID:3396
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-u..etry-client-wowonly_31bf3856ad364e35_10.0.19041.662_none_746c3bfaa509091f\f\dtdump.exe" /grant "everyone":(f)3⤵
- Modifies file permissions
PID:5464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-u..etry-client-wowonly_31bf3856ad364e35_10.0.19041.662_none_746c3bfaa509091f\r\dtdump.exe"2⤵PID:1460
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-u..etry-client-wowonly_31bf3856ad364e35_10.0.19041.662_none_746c3bfaa509091f\r\dtdump.exe"3⤵PID:996
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-u..etry-client-wowonly_31bf3856ad364e35_10.0.19041.662_none_746c3bfaa509091f\r\dtdump.exe" /grant "everyone":(f)3⤵PID:6024
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-u..onwakesettingflyout_31bf3856ad364e35_10.0.19041.1_none_6c93021db54246b0\PasswordOnWakeSettingFlyout.exe"2⤵PID:5624
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-u..onwakesettingflyout_31bf3856ad364e35_10.0.19041.1_none_6c93021db54246b0\PasswordOnWakeSettingFlyout.exe"3⤵PID:5212
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-u..onwakesettingflyout_31bf3856ad364e35_10.0.19041.1_none_6c93021db54246b0\PasswordOnWakeSettingFlyout.exe" /grant "everyone":(f)3⤵PID:5748
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-u..onwakesettingflyout_31bf3856ad364e35_10.0.19041.746_none_949b3f6674b404fa\f\PasswordOnWakeSettingFlyout.exe"2⤵PID:5412
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-u..onwakesettingflyout_31bf3856ad364e35_10.0.19041.746_none_949b3f6674b404fa\f\PasswordOnWakeSettingFlyout.exe"3⤵PID:6016
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-u..onwakesettingflyout_31bf3856ad364e35_10.0.19041.746_none_949b3f6674b404fa\f\PasswordOnWakeSettingFlyout.exe" /grant "everyone":(f)3⤵PID:1900
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-u..onwakesettingflyout_31bf3856ad364e35_10.0.19041.746_none_949b3f6674b404fa\PasswordOnWakeSettingFlyout.exe"2⤵PID:5356
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3392
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-u..onwakesettingflyout_31bf3856ad364e35_10.0.19041.746_none_949b3f6674b404fa\PasswordOnWakeSettingFlyout.exe"3⤵
- Possible privilege escalation attempt
PID:3748 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-u..onwakesettingflyout_31bf3856ad364e35_10.0.19041.746_none_949b3f6674b404fa\PasswordOnWakeSettingFlyout.exe" /grant "everyone":(f)3⤵PID:5832
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-u..onwakesettingflyout_31bf3856ad364e35_10.0.19041.746_none_949b3f6674b404fa\r\PasswordOnWakeSettingFlyout.exe"2⤵PID:5164
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-u..onwakesettingflyout_31bf3856ad364e35_10.0.19041.746_none_949b3f6674b404fa\r\PasswordOnWakeSettingFlyout.exe"3⤵
- Possible privilege escalation attempt
PID:3576 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-u..onwakesettingflyout_31bf3856ad364e35_10.0.19041.746_none_949b3f6674b404fa\r\PasswordOnWakeSettingFlyout.exe" /grant "everyone":(f)3⤵PID:5660
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-u..ountcontrolsettings_31bf3856ad364e35_10.0.19041.1_none_43eac9c1ac59d1f0\UserAccountControlSettings.exe"2⤵PID:2284
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-u..ountcontrolsettings_31bf3856ad364e35_10.0.19041.1_none_43eac9c1ac59d1f0\UserAccountControlSettings.exe"3⤵PID:5496
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-u..ountcontrolsettings_31bf3856ad364e35_10.0.19041.1_none_43eac9c1ac59d1f0\UserAccountControlSettings.exe" /grant "everyone":(f)3⤵PID:5812
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-u..ountcontrolsettings_31bf3856ad364e35_10.0.19041.423_none_6c05a0526bbe14de\UserAccountControlSettings.exe"2⤵PID:3584
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-u..ountcontrolsettings_31bf3856ad364e35_10.0.19041.423_none_6c05a0526bbe14de\UserAccountControlSettings.exe"3⤵PID:3552
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-u..ountcontrolsettings_31bf3856ad364e35_10.0.19041.423_none_6c05a0526bbe14de\UserAccountControlSettings.exe" /grant "everyone":(f)3⤵PID:1108
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.153_none_aa284d65c7bee591\f\upnpcont.exe"2⤵PID:2016
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.153_none_aa284d65c7bee591\f\upnpcont.exe"3⤵PID:4844
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.153_none_aa284d65c7bee591\f\upnpcont.exe" /grant "everyone":(f)3⤵PID:5916
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.153_none_aa284d65c7bee591\r\upnpcont.exe"2⤵PID:4100
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.153_none_aa284d65c7bee591\r\upnpcont.exe"3⤵PID:4416
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.153_none_aa284d65c7bee591\r\upnpcont.exe" /grant "everyone":(f)3⤵PID:116
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.153_none_aa284d65c7bee591\upnpcont.exe"2⤵PID:4168
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.153_none_aa284d65c7bee591\upnpcont.exe"3⤵PID:5372
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.153_none_aa284d65c7bee591\upnpcont.exe" /grant "everyone":(f)3⤵PID:6092
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.867_none_aa218bebc7c352ef\f\upnpcont.exe"2⤵PID:5232
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.867_none_aa218bebc7c352ef\f\upnpcont.exe"3⤵
- Modifies file permissions
PID:5448 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.867_none_aa218bebc7c352ef\f\upnpcont.exe" /grant "everyone":(f)3⤵PID:4852
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.867_none_aa218bebc7c352ef\r\upnpcont.exe"2⤵PID:2932
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.867_none_aa218bebc7c352ef\r\upnpcont.exe"3⤵
- Modifies file permissions
PID:5468 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.867_none_aa218bebc7c352ef\r\upnpcont.exe" /grant "everyone":(f)3⤵PID:5652
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.867_none_aa218bebc7c352ef\upnpcont.exe"2⤵PID:3476
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.867_none_aa218bebc7c352ef\upnpcont.exe"3⤵PID:1968
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.867_none_aa218bebc7c352ef\upnpcont.exe" /grant "everyone":(f)3⤵PID:1628
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-usercpl-usermgrbroker_31bf3856ad364e35_10.0.19041.1_none_d6f1c935a875f141\UserAccountBroker.exe"2⤵PID:4140
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-usercpl-usermgrbroker_31bf3856ad364e35_10.0.19041.1_none_d6f1c935a875f141\UserAccountBroker.exe"3⤵PID:5984
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-usercpl-usermgrbroker_31bf3856ad364e35_10.0.19041.1_none_d6f1c935a875f141\UserAccountBroker.exe" /grant "everyone":(f)3⤵PID:4336
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-usercpl-usermgrbroker_31bf3856ad364e35_10.0.19041.746_none_fefa067e67e7af8b\f\UserAccountBroker.exe"2⤵PID:5356
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-usercpl-usermgrbroker_31bf3856ad364e35_10.0.19041.746_none_fefa067e67e7af8b\f\UserAccountBroker.exe"3⤵PID:5268
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-usercpl-usermgrbroker_31bf3856ad364e35_10.0.19041.746_none_fefa067e67e7af8b\f\UserAccountBroker.exe" /grant "everyone":(f)3⤵PID:3272
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-usercpl-usermgrbroker_31bf3856ad364e35_10.0.19041.746_none_fefa067e67e7af8b\r\UserAccountBroker.exe"2⤵PID:5908
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-usercpl-usermgrbroker_31bf3856ad364e35_10.0.19041.746_none_fefa067e67e7af8b\r\UserAccountBroker.exe"3⤵PID:6020
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-usercpl-usermgrbroker_31bf3856ad364e35_10.0.19041.746_none_fefa067e67e7af8b\r\UserAccountBroker.exe" /grant "everyone":(f)3⤵PID:5924
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-usercpl-usermgrbroker_31bf3856ad364e35_10.0.19041.746_none_fefa067e67e7af8b\UserAccountBroker.exe"2⤵PID:4936
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-usercpl-usermgrbroker_31bf3856ad364e35_10.0.19041.746_none_fefa067e67e7af8b\UserAccountBroker.exe"3⤵PID:5600
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-usercpl-usermgrbroker_31bf3856ad364e35_10.0.19041.746_none_fefa067e67e7af8b\UserAccountBroker.exe" /grant "everyone":(f)3⤵PID:5872
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-userinit_31bf3856ad364e35_10.0.19041.1_none_9c6e71eba56e4081\userinit.exe"2⤵PID:5892
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-userinit_31bf3856ad364e35_10.0.19041.1_none_9c6e71eba56e4081\userinit.exe"3⤵PID:1344
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-userinit_31bf3856ad364e35_10.0.19041.1_none_9c6e71eba56e4081\userinit.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
PID:2644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-utilman_31bf3856ad364e35_10.0.19041.1_none_c2ef67c504fb9748\Utilman.exe"2⤵PID:4396
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-utilman_31bf3856ad364e35_10.0.19041.1_none_c2ef67c504fb9748\Utilman.exe"3⤵PID:4368
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-utilman_31bf3856ad364e35_10.0.19041.1_none_c2ef67c504fb9748\Utilman.exe" /grant "everyone":(f)3⤵PID:2044
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-utilman_31bf3856ad364e35_10.0.19041.746_none_eaf7a50dc46d5592\f\Utilman.exe"2⤵PID:3128
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-utilman_31bf3856ad364e35_10.0.19041.746_none_eaf7a50dc46d5592\f\Utilman.exe"3⤵PID:2360
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-utilman_31bf3856ad364e35_10.0.19041.746_none_eaf7a50dc46d5592\f\Utilman.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
PID:5364 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-utilman_31bf3856ad364e35_10.0.19041.746_none_eaf7a50dc46d5592\r\Utilman.exe"2⤵PID:6076
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-utilman_31bf3856ad364e35_10.0.19041.746_none_eaf7a50dc46d5592\r\Utilman.exe"3⤵PID:5980
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-utilman_31bf3856ad364e35_10.0.19041.746_none_eaf7a50dc46d5592\r\Utilman.exe" /grant "everyone":(f)3⤵PID:6004
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-utilman_31bf3856ad364e35_10.0.19041.746_none_eaf7a50dc46d5592\Utilman.exe"2⤵PID:5716
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-utilman_31bf3856ad364e35_10.0.19041.746_none_eaf7a50dc46d5592\Utilman.exe"3⤵PID:6108
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-utilman_31bf3856ad364e35_10.0.19041.746_none_eaf7a50dc46d5592\Utilman.exe" /grant "everyone":(f)3⤵PID:4720
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-verclsid_31bf3856ad364e35_10.0.19041.1_none_7c2c890be7329496\verclsid.exe"2⤵PID:4200
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-verclsid_31bf3856ad364e35_10.0.19041.1_none_7c2c890be7329496\verclsid.exe"3⤵
- Possible privilege escalation attempt
PID:5360 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-verclsid_31bf3856ad364e35_10.0.19041.1_none_7c2c890be7329496\verclsid.exe" /grant "everyone":(f)3⤵PID:1092
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\f\WSManHTTPConfig.exe"2⤵PID:4916
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\f\WSManHTTPConfig.exe"3⤵PID:3476
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\f\WSManHTTPConfig.exe" /grant "everyone":(f)3⤵PID:4740
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\f\wsmprovhost.exe"2⤵PID:5132
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\f\wsmprovhost.exe"3⤵PID:5524
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\f\wsmprovhost.exe" /grant "everyone":(f)3⤵PID:5544
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\r\WSManHTTPConfig.exe"2⤵PID:4608
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\r\WSManHTTPConfig.exe"3⤵PID:5440
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\r\WSManHTTPConfig.exe" /grant "everyone":(f)3⤵PID:5660
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\r\wsmprovhost.exe"2⤵PID:2668
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\r\wsmprovhost.exe"3⤵PID:1380
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\r\wsmprovhost.exe" /grant "everyone":(f)3⤵PID:372
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\WSManHTTPConfig.exe"2⤵PID:3596
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\WSManHTTPConfig.exe"3⤵
- Modifies file permissions
PID:6052 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\WSManHTTPConfig.exe" /grant "everyone":(f)3⤵PID:5520
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\wsmprovhost.exe"2⤵PID:5288
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\wsmprovhost.exe"3⤵PID:1096
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1202_none_497a4c9b969ee5eb\wsmprovhost.exe" /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
PID:3572 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1_none_8aab2d3580c614cb\WSManHTTPConfig.exe"2⤵PID:6056
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1_none_8aab2d3580c614cb\WSManHTTPConfig.exe"3⤵
- Modifies file permissions
PID:2044 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1_none_8aab2d3580c614cb\WSManHTTPConfig.exe" /grant "everyone":(f)3⤵PID:5348
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1_none_8aab2d3580c614cb\wsmprovhost.exe"2⤵PID:1064
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1_none_8aab2d3580c614cb\wsmprovhost.exe"3⤵PID:5364
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1_none_8aab2d3580c614cb\wsmprovhost.exe" /grant "everyone":(f)3⤵PID:5712
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-w..ommand-line-utility_31bf3856ad364e35_10.0.19041.1_none_61ef8d34a0953a91\WMIC.exe"2⤵PID:384
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-w..ommand-line-utility_31bf3856ad364e35_10.0.19041.1_none_61ef8d34a0953a91\WMIC.exe"3⤵PID:6004
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-w..ommand-line-utility_31bf3856ad364e35_10.0.19041.1_none_61ef8d34a0953a91\WMIC.exe" /grant "everyone":(f)3⤵PID:4268
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-w..sition-uicomponents_31bf3856ad364e35_10.0.19041.1151_none_4e193eb76ed5f8cb\f\wiaacmgr.exe"2⤵PID:1460
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-w..sition-uicomponents_31bf3856ad364e35_10.0.19041.1151_none_4e193eb76ed5f8cb\f\wiaacmgr.exe"3⤵PID:6124
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-w..sition-uicomponents_31bf3856ad364e35_10.0.19041.1151_none_4e193eb76ed5f8cb\f\wiaacmgr.exe" /grant "everyone":(f)3⤵PID:400
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-w..sition-uicomponents_31bf3856ad364e35_10.0.19041.1151_none_4e193eb76ed5f8cb\r\wiaacmgr.exe"2⤵PID:3948
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-w..sition-uicomponents_31bf3856ad364e35_10.0.19041.1151_none_4e193eb76ed5f8cb\r\wiaacmgr.exe"3⤵PID:4232
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-w..sition-uicomponents_31bf3856ad364e35_10.0.19041.1151_none_4e193eb76ed5f8cb\r\wiaacmgr.exe" /grant "everyone":(f)3⤵PID:1828
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-w..sition-uicomponents_31bf3856ad364e35_10.0.19041.1151_none_4e193eb76ed5f8cb\wiaacmgr.exe"2⤵PID:5988
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-w..sition-uicomponents_31bf3856ad364e35_10.0.19041.1151_none_4e193eb76ed5f8cb\wiaacmgr.exe"3⤵PID:4740
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-w..sition-uicomponents_31bf3856ad364e35_10.0.19041.1151_none_4e193eb76ed5f8cb\wiaacmgr.exe" /grant "everyone":(f)3⤵PID:5468
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-w..sition-uicomponents_31bf3856ad364e35_10.0.19041.1_none_8f3a372b5909de8a\wiaacmgr.exe"2⤵PID:5216
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-w..sition-uicomponents_31bf3856ad364e35_10.0.19041.1_none_8f3a372b5909de8a\wiaacmgr.exe"3⤵PID:5268
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-w..sition-uicomponents_31bf3856ad364e35_10.0.19041.1_none_8f3a372b5909de8a\wiaacmgr.exe" /grant "everyone":(f)3⤵PID:3220
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-w..ter-cimprovider-exe_31bf3856ad364e35_10.0.19041.1_none_238f55dfbfb45941\Register-CimProvider.exe"2⤵PID:720
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-w..ter-cimprovider-exe_31bf3856ad364e35_10.0.19041.1_none_238f55dfbfb45941\Register-CimProvider.exe"3⤵PID:5740
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-w..ter-cimprovider-exe_31bf3856ad364e35_10.0.19041.1_none_238f55dfbfb45941\Register-CimProvider.exe" /grant "everyone":(f)3⤵PID:3272
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-w..tnet-mua-hostserver_31bf3856ad364e35_10.0.19041.1_none_913591207b2aaf6f\WinRTNetMUAHostServer.exe"2⤵PID:1200
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-w..tnet-mua-hostserver_31bf3856ad364e35_10.0.19041.1_none_913591207b2aaf6f\WinRTNetMUAHostServer.exe"3⤵PID:2752
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-w..tnet-mua-hostserver_31bf3856ad364e35_10.0.19041.1_none_913591207b2aaf6f\WinRTNetMUAHostServer.exe" /grant "everyone":(f)3⤵PID:4820
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-w..tnet-mua-hostserver_31bf3856ad364e35_10.0.19041.746_none_b93dce693a9c6db9\f\WinRTNetMUAHostServer.exe"2⤵PID:5564
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-w..tnet-mua-hostserver_31bf3856ad364e35_10.0.19041.746_none_b93dce693a9c6db9\f\WinRTNetMUAHostServer.exe"3⤵PID:6052
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-w..tnet-mua-hostserver_31bf3856ad364e35_10.0.19041.746_none_b93dce693a9c6db9\f\WinRTNetMUAHostServer.exe" /grant "everyone":(f)3⤵PID:3596
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-w..tnet-mua-hostserver_31bf3856ad364e35_10.0.19041.746_none_b93dce693a9c6db9\r\WinRTNetMUAHostServer.exe"2⤵PID:5768
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-w..tnet-mua-hostserver_31bf3856ad364e35_10.0.19041.746_none_b93dce693a9c6db9\r\WinRTNetMUAHostServer.exe"3⤵PID:388
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-w..tnet-mua-hostserver_31bf3856ad364e35_10.0.19041.746_none_b93dce693a9c6db9\r\WinRTNetMUAHostServer.exe" /grant "everyone":(f)3⤵PID:4308
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-w..tnet-mua-hostserver_31bf3856ad364e35_10.0.19041.746_none_b93dce693a9c6db9\WinRTNetMUAHostServer.exe"2⤵PID:1068
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-w..tnet-mua-hostserver_31bf3856ad364e35_10.0.19041.746_none_b93dce693a9c6db9\WinRTNetMUAHostServer.exe"3⤵PID:6068
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-w..tnet-mua-hostserver_31bf3856ad364e35_10.0.19041.746_none_b93dce693a9c6db9\WinRTNetMUAHostServer.exe" /grant "everyone":(f)3⤵PID:5824
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-wab-app_31bf3856ad364e35_10.0.19041.1_none_02ef1556ab50e6d8\wab.exe"2⤵PID:5552
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-wab-app_31bf3856ad364e35_10.0.19041.1_none_02ef1556ab50e6d8\wab.exe"3⤵PID:116
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-wab-app_31bf3856ad364e35_10.0.19041.1_none_02ef1556ab50e6d8\wab.exe" /grant "everyone":(f)3⤵PID:1064
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-wab-app_31bf3856ad364e35_10.0.19041.1_none_02ef1556ab50e6d8\wabmig.exe"2⤵PID:3956
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-wab-app_31bf3856ad364e35_10.0.19041.1_none_02ef1556ab50e6d8\wabmig.exe"3⤵PID:5456
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-wab-app_31bf3856ad364e35_10.0.19041.1_none_02ef1556ab50e6d8\wabmig.exe" /grant "everyone":(f)3⤵
- Modifies file permissions
PID:3396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-waitfor_31bf3856ad364e35_10.0.19041.1_none_76ab6db74ef1e15e\waitfor.exe"2⤵PID:5692
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-waitfor_31bf3856ad364e35_10.0.19041.1_none_76ab6db74ef1e15e\waitfor.exe"3⤵PID:4732
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-waitfor_31bf3856ad364e35_10.0.19041.1_none_76ab6db74ef1e15e\waitfor.exe" /grant "everyone":(f)3⤵PID:2972
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-web-app-host_31bf3856ad364e35_10.0.19041.1_none_f2d57eada2c90ed3\WWAHost.exe"2⤵PID:5116
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-web-app-host_31bf3856ad364e35_10.0.19041.1_none_f2d57eada2c90ed3\WWAHost.exe"3⤵PID:6028
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-web-app-host_31bf3856ad364e35_10.0.19041.1_none_f2d57eada2c90ed3\WWAHost.exe" /grant "everyone":(f)3⤵
- Modifies file permissions
PID:5708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-web-app-host_31bf3856ad364e35_10.0.19041.789_none_1ab57d24625888e6\f\WWAHost.exe"2⤵PID:5192
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-web-app-host_31bf3856ad364e35_10.0.19041.789_none_1ab57d24625888e6\f\WWAHost.exe"3⤵PID:396
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-web-app-host_31bf3856ad364e35_10.0.19041.789_none_1ab57d24625888e6\f\WWAHost.exe" /grant "everyone":(f)3⤵PID:5988
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-web-app-host_31bf3856ad364e35_10.0.19041.789_none_1ab57d24625888e6\r\WWAHost.exe"2⤵PID:5144
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-web-app-host_31bf3856ad364e35_10.0.19041.789_none_1ab57d24625888e6\r\WWAHost.exe"3⤵PID:1364
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-web-app-host_31bf3856ad364e35_10.0.19041.789_none_1ab57d24625888e6\r\WWAHost.exe" /grant "everyone":(f)3⤵PID:876
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-web-app-host_31bf3856ad364e35_10.0.19041.789_none_1ab57d24625888e6\WWAHost.exe"2⤵PID:4372
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-web-app-host_31bf3856ad364e35_10.0.19041.789_none_1ab57d24625888e6\WWAHost.exe"3⤵PID:4348
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-web-app-host_31bf3856ad364e35_10.0.19041.789_none_1ab57d24625888e6\WWAHost.exe" /grant "everyone":(f)3⤵PID:216
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-webcamexperience_31bf3856ad364e35_10.0.19041.1_none_2d2e881f7f8c5f63\CameraSettingsUIHost.exe"2⤵PID:3688
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-webcamexperience_31bf3856ad364e35_10.0.19041.1_none_2d2e881f7f8c5f63\CameraSettingsUIHost.exe"3⤵PID:5660
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-webcamexperience_31bf3856ad364e35_10.0.19041.1_none_2d2e881f7f8c5f63\CameraSettingsUIHost.exe" /grant "everyone":(f)3⤵PID:5076
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-webcamexperience_31bf3856ad364e35_10.0.19041.746_none_5536c5683efe1dad\CameraSettingsUIHost.exe"2⤵PID:1648
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-webcamexperience_31bf3856ad364e35_10.0.19041.746_none_5536c5683efe1dad\CameraSettingsUIHost.exe"3⤵PID:2668
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-webcamexperience_31bf3856ad364e35_10.0.19041.746_none_5536c5683efe1dad\CameraSettingsUIHost.exe" /grant "everyone":(f)3⤵PID:632
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-webcamexperience_31bf3856ad364e35_10.0.19041.746_none_5536c5683efe1dad\f\CameraSettingsUIHost.exe"2⤵PID:5908
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-webcamexperience_31bf3856ad364e35_10.0.19041.746_none_5536c5683efe1dad\f\CameraSettingsUIHost.exe"3⤵
- Possible privilege escalation attempt
PID:6000 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-webcamexperience_31bf3856ad364e35_10.0.19041.746_none_5536c5683efe1dad\f\CameraSettingsUIHost.exe" /grant "everyone":(f)3⤵PID:620
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-webcamexperience_31bf3856ad364e35_10.0.19041.746_none_5536c5683efe1dad\r\CameraSettingsUIHost.exe"2⤵PID:4780
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-webcamexperience_31bf3856ad364e35_10.0.19041.746_none_5536c5683efe1dad\r\CameraSettingsUIHost.exe"3⤵PID:4976
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-webcamexperience_31bf3856ad364e35_10.0.19041.746_none_5536c5683efe1dad\r\CameraSettingsUIHost.exe" /grant "everyone":(f)3⤵PID:1848
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-where_31bf3856ad364e35_10.0.19041.1_none_1e18f0f5b1e8db7d\where.exe"2⤵PID:3796
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5824
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-where_31bf3856ad364e35_10.0.19041.1_none_1e18f0f5b1e8db7d\where.exe"3⤵PID:2800
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-where_31bf3856ad364e35_10.0.19041.1_none_1e18f0f5b1e8db7d\where.exe" /grant "everyone":(f)3⤵PID:6068
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-whoami_31bf3856ad364e35_10.0.19041.1_none_8ec2362c55947137\whoami.exe"2⤵PID:2292
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-whoami_31bf3856ad364e35_10.0.19041.1_none_8ec2362c55947137\whoami.exe"3⤵PID:6116
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-whoami_31bf3856ad364e35_10.0.19041.1_none_8ec2362c55947137\whoami.exe" /grant "everyone":(f)3⤵PID:4280
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-winhstb_31bf3856ad364e35_10.0.19041.1_none_e94bc62edd251a47\winhlp32.exe"2⤵PID:4436
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-winhstb_31bf3856ad364e35_10.0.19041.1_none_e94bc62edd251a47\winhlp32.exe"3⤵PID:4720
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-winhstb_31bf3856ad364e35_10.0.19041.1_none_e94bc62edd251a47\winhlp32.exe" /grant "everyone":(f)3⤵PID:5704
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\wow64_microsoft-windows-winre-recoverytools_31bf3856ad364e35_10.0.19041.1_none_95938c4a44e792de\ReAgentc.exe"2⤵PID:1532
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1460
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\WinSxS\wow64_microsoft-windows-winre-recoverytools_31bf3856ad364e35_10.0.19041.1_none_95938c4a44e792de\ReAgentc.exe"3⤵PID:5292
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\WinSxS\wow64_microsoft-windows-winre-recoverytools_31bf3856ad364e35_10.0.19041.1_none_95938c4a44e792de\ReAgentc.exe" /grant "everyone":(f)3⤵PID:5064
-
C:\Windows\msagent\AgentSvr.exeC:\Windows\msagent\AgentSvr.exe -Embedding1⤵PID:5228
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x160 0x2f41⤵PID:5428
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
1Accessibility Features
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
1Accessibility Features
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD585ba073d7015b6ce7da19235a275f6da
SHA1a23c8c2125e45a0788bac14423ae1f3eab92cf00
SHA2565ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617
SHA512eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3
-
Filesize
152B
MD57de1bbdc1f9cf1a58ae1de4951ce8cb9
SHA1010da169e15457c25bd80ef02d76a940c1210301
SHA2566e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e
SHA512e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5335183219368465a2ba5517a81a8786b
SHA1de963dd16e3660221ea18f88e3f78ad52a8d843d
SHA25680629ad07c8e98be8f69685521effd13977e3e72056f6ad54841f484e4a0175a
SHA51222348839cdfda8a241c4fed3e89de045cfdde9d66793084af55da2f9e457c801b89ce240850e826b01603e3d91cd798478488519e8c7405b6a4fe8a2704236e3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD50ba67ec16f4f755b4db6002ee7743a8a
SHA1072d838c6a569afa3a8fe6bb4fa120cd1cfaca85
SHA25639b699b19942e3220f0fec04275c5130c11700a16b8c696c91c4b91318271e95
SHA512804a1d65a8fe58dfbe81d4e8f81d22d3f96483298caee34374bcb9313ea914f163c8b790b3f6539177db55a66f5aa2ca4923363a2bf06a49e209bd525e6ea0ce
-
Filesize
4KB
MD51e68e2f850e3d99c69f441fb9bf809f4
SHA14f769f94a159fdece7d755dc1700fe3fc1f36831
SHA256b7e8ca3df4b22cf29b365072bab2f3e04f7e3307664b78d56f8392ee03a3a63d
SHA512716503ab51cee3762d28946f5bae6e7e4aeef35db5067873d181495ceeb87ce3c9f15199ecec0b6ba854c27d87c3dfdc74f70d6f5072b50435fa7e182fa5edf0
-
Filesize
3KB
MD5b1e9827d1c3f87c4261c207e8d0ed336
SHA167175a548d950ef1644161268904ad54dc6d4137
SHA256648573faaf76fa24369c1f7a956a7a667d4aa7d9dfe61cbe9d6074df6113f177
SHA512904ebf670ca2c7d225824d7860ce2d1f45602564aad6affc208a15de83ce75c9efb61d1f854428f4d6d551d370b8acb78ca96bd44187eb118f970caff247417d
-
Filesize
7KB
MD5d60bae593ccde1a77f13d0a25ae21a74
SHA1f7dd84fda876553462acfe4aefd2af40b31c8929
SHA2565354fbb808b24fe101dd19d527ba8a45f758d62e8562a7716c4513a497552a9c
SHA51262e86eb6cb0f8de270710c7f4825f38431adb5b34b38a06dc0209a89a5f18a3855bf8bbae7bb794fe146516c7858f2732b51b5821defee7464bced18aff409bb
-
Filesize
7KB
MD5d11949285398054d2026001f1b2e09ca
SHA1d171119230e5b617096d2449fd1222eb5928903b
SHA25647b77117cf27f231b014d1df7434575f601fe50557f83fd9aa9555503f4bdf24
SHA5126b55e6a6b2351223be4494f7107a85c7a1e9dc105c02cbaf34336673afeb0ed654542f0ad052bd7154aca3b6c4b9f517464b8d6ad32d8829b4aa9b95c72bdbd0
-
Filesize
6KB
MD5c7885d028d659448e23c8f43b674f772
SHA168b4c0dab54f1181bf5de03b906208bfb97f6d82
SHA256728a3a6c6aabc67666c8d7a6d98789b1a92ce882b566180cf0740eadfd0fb303
SHA512676133eec4beb05b2855f76c057dd17f5e8187f7a1955d865082f2cc112ed28f36c44b2d4e0576c2928d48f7da3f12bd9b46d0e391b493698dc362089960a085
-
Filesize
6KB
MD5eeeb24b07f1adf64e45388b5aa76f12d
SHA1750530dc7056aaf088ded51a673af5278efe4cf8
SHA2567f0f53f6bd04300bde120ca0380149f3e49fe50f472a98a38796dfc7d810db03
SHA512f84a853d62e5fc1558c41d47cf48d126d422dc837de98cb85323d1eba7b60c8ae7d7e008acdd8278e021ae1cbe6dcde532378861945be46d9715a57f6716ad94
-
Filesize
6KB
MD55807e85aeead61ff58586b46ba67a4b7
SHA1d66f2c9577918b523e6e002fa896c915e4555c7f
SHA256838b32ff9d753bfba917e6f774af468ccbee779b8ba982903a6eb3abc9baf205
SHA512efb95f1ce6d05142e52f35d7c35f725c2915da946142a2eeb150bd020c7ee3fedf2a22e6129687d06044d6f1904036057c3724fa31472bd3581bf84d1c7315a4
-
Filesize
6KB
MD53cf84951231cfa51194bf2641d53f742
SHA1c7a2a5abd9359a0020a012c4f816997c974715af
SHA256b4bd96695e8314247883a3270b9ace41d08f93f684979de6597dd80d472b2300
SHA512fc9f2f87515a20405cb04aa9c0c9e9ab5c9e1bbfc055e17d6e57fc2fc2fc43bcf912a70a5cdf859b71b47e87f1bee47a8119a722294f6b76be96af40b4168a2a
-
Filesize
5KB
MD53e34d4ba810eca2b00ecd52695b1799b
SHA1740377e17db22cddd9fb28c31b11aeefcd57e8e4
SHA25667ac86f0d5b77805fd3c4f383e09519e55e6a1704619387c2084d478a2cf86ea
SHA51210b3a9ae0d44e541d750dca796b130e5b1ad01327f3ea7221ffe1194c77d519026d7a6a7de3327075a6c97d6dabbf81bf48337c5900e97847ada42f0c8c4e7a8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize90B
MD5990d6ddc418fe3631a032c3cdf6fce13
SHA12f1f528d2bd6367ef0791baa46b477a12425313f
SHA25652c3c947d6562b384a9db38e7f0fc4e53d118a7f9bc4d0a0f1d5d9fe6c57b9e9
SHA5121e47a2f37e4c7135c350d76dd254d23f17dde79af38c15b1588633681ae3cf406f4e5c39d93095ee329f5efe94a15114b547bd35bf42320fd8e3ad29eeed4060
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize26B
MD52892eee3e20e19a9ba77be6913508a54
SHA17c4ef82faa28393c739c517d706ac6919a8ffc49
SHA2564f110831bb434c728a6895190323d159df6d531be8c4bb7109864eeb7c989ff2
SHA512b13a336db33299ab3405e13811e3ed9e5a18542e5d835f2b7130a6ff4c22f74272002fc43e7d9f94ac3aa6a4d53518f87f25d90c29e0d286b6470667ea9336ae
-
Filesize
1KB
MD5ec74122f6fd3f869cf0cfbc98a0a8dc9
SHA158026cb1064fe5a5892ba3715487b23ec2d4ef6f
SHA2569fb141bbafadfdded2fd8a6b6b81ae1ec6ce4ff91a9e0d348e29789a5e88b6b3
SHA51281a1098fa04ae8b7f25097d476bcf4999c71601f88820f07da054b959e2e161e2225e92aaa8b9aa4506f6faf095a5c3ac35b92837194c51c3636cd984770eb1e
-
Filesize
1KB
MD54ed6cfe2ee701b4810aa1c4caf257292
SHA171577ebf2a65fd85217089851776d9877211ce51
SHA25673ef4724a16b7be879aa4e0640e9dab66fd1a54478c400dc5c183d428dd02147
SHA512414f5cebbce4d1844e98b219629b9566ecbc087a92ede5838afe9c7b7c700adb21a7bae5b9029319332869a76f1797a9e7118f1079525b1a10b31464343b0656
-
Filesize
372B
MD5be502a6260a59da953f60faee473ae7c
SHA1db4452f1a073ed3e6ea74e32e93320bd495f93f7
SHA256cecc27be0f978aa7bd90de91520a7dc27017a6bf2dffc3fd7da2cc846bd68f23
SHA5125f8ed961e5bb207d1c43b2a51e7de4fce5d3cb195927c0a184f9a3da19f724a6a4022e7516bdeb511393b70513a13f2bb9104c91f77344480166475fe007e837
-
Filesize
372B
MD5eebcb222f8efbe7976313bc00227973b
SHA14235a6e058818e7c203e1431832dd0a0675c00e4
SHA256a893590cfd11a329a8e8789a139c3ad48af73dabdc2f0b5cf6eaab00acd0ffe3
SHA5127aa78a96a951000b45b2f588cd22a4aea9a3d7118692226d8b7f106157b5627c02bf2016f468de718755d82a41876ac7b8ebec63ac244e521b23195578d3bef9
-
Filesize
204B
MD5c2cb7b5851089aab5dc28385b06304b0
SHA12ee352bdf05e3f2615e270a05b2376206a928977
SHA256a92bad4de9d55f9430d32ce9ad67ab77c71bd5e1c1a65ab2424e6ce819fa7024
SHA5129d0fb0d1b2c5f1abc796b71c01bc83cefba75bfb2d359d9cb832b9a4c2455a237f586e6ff14ac6422bdce38ea69956be8a408b37c286a22ab69b2e6df932e746
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD53c1cd8773ce976c3bd5d5dafb4c8cb39
SHA1a96800b69c90bf3adb49befa247b156d9ad8d8c2
SHA256288abe34336ee3be39b55ac8dd651d2f116866df6d32a8f2c56d393630c84506
SHA5129cc4a68bce46b84481b5fcc88f8fbc89269445fa6b10e1029eaa2728face045ce11db67ebc88673b35f5777cdcd712e1b44e2cf23e0b5c475335478604059d13
-
Filesize
11KB
MD555702124f0569b9e0baae44c33d36486
SHA1f82520d770c85ccabce9d482146c7afeda1e7e37
SHA256c9c0746b15ea651e0f479f5a631404f1478c62418e664283a50eb79ecb74ab92
SHA5120456220bbed1b5d8d6dbd38133998d876e493ddf5279f87ce5d8ee2f15dca99739463da4d8d81a6cf01023cea74db95f77e5d0cc558175fb5da881680cdbde9d
-
Filesize
11KB
MD5b4d4b98befbaa98ce8785f1902dbad4c
SHA1d160413a2227902690f09a2f06c4cb9224aaa085
SHA2566240dd99d68da5024587e4691f8533043492ad5a2dbdffe30ba65f60226142b7
SHA51203a90d5eb585a20505140f9528fc221ffba4d45794b1f0ad33ab606729494e24931d1264878823c8dfc1e7531425b2e792803377bac763910f311d1d7be68a98
-
Filesize
10KB
MD573e3ed8a044852df587bf7d3076d9234
SHA1e5d89ccdcb621a5663f19a114188b0ff4bb912f3
SHA25659f46ce8dfa213595ef04f276576161e264a332fd72738cafda33f0e42cd79d5
SHA5122a252299841c5b839c8591b63983b60ec2623f0f944d4c7c532dae6ad231cd1cbdcc7b156600884dee45bfe19808d97e8937f172fca66e46c9f96c2bbf31ec9e
-
Filesize
391KB
MD566996a076065ebdcdac85ff9637ceae0
SHA14a25632b66a9d30239a1a77c7e7ba81bb3aee9ce
SHA25616ca09ad70561f413376ad72550ae5664c89c6a76c85c872ffe2cb1e7f49e2aa
SHA512e42050e799cbee5aa4f60d4e2f42aae656ff98af0548308c8d7f0d681474a9da3ad7e89694670449cdfde30ebe2c47006fbdc57cfb6b357c82731aeebc50901c
-
Filesize
73KB
MD581e5c8596a7e4e98117f5c5143293020
SHA145b7fe0989e2df1b4dfd227f8f3b73b6b7df9081
SHA2567d126ed85df9705ec4f38bd52a73b621cf64dd87a3e8f9429a569f3f82f74004
SHA51205b1e9eef13f7c140eb21f6dcb705ee3aaafabe94857aa86252afa4844de231815078a72e63d43725f6074aa5fefe765feb93a6b9cd510ee067291526bb95ec6
-
Filesize
40KB
MD548c00a7493b28139cbf197ccc8d1f9ed
SHA1a25243b06d4bb83f66b7cd738e79fccf9a02b33b
SHA256905cb1a15eccaa9b79926ee7cfe3629a6f1c6b24bdd6cea9ccb9ebc9eaa92ff7
SHA512c0b0a410ded92adc24c0f347a57d37e7465e50310011a9d636c5224d91fbc5d103920ab5ef86f29168e325b189d2f74659f153595df10eef3a9d348bb595d830
-
Filesize
160KB
MD5237e13b95ab37d0141cf0bc585b8db94
SHA1102c6164c21de1f3e0b7d487dd5dc4c5249e0994
SHA256d19b6b7c57bcee7239526339e683f62d9c2f9690947d0a446001377f0b56103a
SHA5129d0a68a806be25d2eeedba8be1acc2542d44ecd8ba4d9d123543d0f7c4732e1e490bad31cad830f788c81395f6b21d5a277c0bed251c9854440a662ac36ac4cb
-
Filesize
60KB
MD5a334bbf5f5a19b3bdb5b7f1703363981
SHA16cb50b15c0e7d9401364c0fafeef65774f5d1a2c
SHA256c33beaba130f8b740dddb9980fe9012f9322ac6e94f36a6aa6086851c51b98de
SHA5121fa170f643054c0957ed1257c4d7778976c59748670afa877d625aaa006325404bc17c41b47be2906dd3f1e229870d54eb7aba4a412de5adedbd5387e24abf46
-
Filesize
64KB
MD57c5aefb11e797129c9e90f279fbdf71b
SHA1cb9d9cbfbebb5aed6810a4e424a295c27520576e
SHA256394a17150b8774e507b8f368c2c248c10fce50fc43184b744e771f0e79ecafed
SHA512df59a30704d62fa2d598a5824aa04b4b4298f6192a01d93d437b46c4f907c90a1bad357199c51a62beb87cd724a30af55a619baef9ecf2cba032c5290938022a
-
Filesize
60KB
MD54fbbaac42cf2ecb83543f262973d07c0
SHA1ab1b302d7cce10443dfc14a2eba528a0431e1718
SHA2566550582e41fc53b8a7ccdf9ac603216937c6ff2a28e9538610adb7e67d782ab5
SHA5124146999b4bec85bcd2774ac242cb50797134e5180a3b3df627106cdfa28f61aeea75a7530094a9b408bc9699572cae8cf998108bde51b57a6690d44f0b34b69e
-
Filesize
36KB
MD5b4ac608ebf5a8fdefa2d635e83b7c0e8
SHA1d92a2861d5d1eb67ab434ff2bd0a11029b3bd9a9
SHA2568414dfe399813b7426c235ba1e625bd2b5635c8140da0d0cfc947f6565fe415f
SHA5122c42daade24c3ff01c551a223ee183301518357990a9cb2cc2dd7bf411b7059ff8e0bf1d1aee2d268eca58db25902a8048050bdb3cb48ae8be1e4c2631e3d9b4
-
Filesize
60KB
MD59fafb9d0591f2be4c2a846f63d82d301
SHA11df97aa4f3722b6695eac457e207a76a6b7457be
SHA256e78e74c24d468284639faf9dcfdba855f3e4f00b2f26db6b2c491fa51da8916d
SHA512ac0d97833beec2010f79cb1fbdb370d3a812042957f4643657e15eed714b9117c18339c737d3fd95011f873cda46ae195a5a67ae40ff2a5bcbee54d1007f110a
-
Filesize
268KB
MD55c91bf20fe3594b81052d131db798575
SHA1eab3a7a678528b5b2c60d65b61e475f1b2f45baa
SHA256e8ce546196b6878a8c34da863a6c8a7e34af18fb9b509d4d36763734efa2d175
SHA512face50db7025e0eb2e67c4f8ec272413d13491f7438287664593636e3c7e3accaef76c3003a299a1c5873d388b618da9eaede5a675c91f4c1f570b640ac605d6
-
Filesize
28KB
MD50cbf0f4c9e54d12d34cd1a772ba799e1
SHA140e55eb54394d17d2d11ca0089b84e97c19634a7
SHA2566b0b57e5b27d901f4f106b236c58d0b2551b384531a8f3dad6c06ed4261424b1
SHA512bfdb6e8387ffbba3b07869cb3e1c8ca0b2d3336aa474bd19a35e4e3a3a90427e49b4b45c09d8873d9954d0f42b525ed18070b949c6047f4e4cdb096f9c5ae5d5
-
Filesize
8KB
MD5466d35e6a22924dd846a043bc7dd94b8
SHA135e5b7439e3d49cb9dc57e7ef895a3cd8d80fb10
SHA256e4ccf06706e68621bb69add3dd88fed82d30ad8778a55907d33f6d093ac16801
SHA51223b64ed68a8f1df4d942b5a08a6b6296ec5499a13bb48536e8426d9795771dbcef253be738bf6dc7158a5815f8dcc65feb92fadf89ea8054544bb54fc83aa247
-
Filesize
2KB
MD5e4a499b9e1fe33991dbcfb4e926c8821
SHA1951d4750b05ea6a63951a7667566467d01cb2d42
SHA25649e6b848f5a708d161f795157333d7e1c7103455a2f47f50895683ef6a1abe4d
SHA512a291bb986293197a16f75b2473297286525ac5674c08a92c87b5cc1f0f2e62254ea27d626b30898e7857281bdb502f188c365311c99bda5c2dd76da0c82c554a
-
Filesize
28KB
MD5f1656b80eaae5e5201dcbfbcd3523691
SHA16f93d71c210eb59416e31f12e4cc6a0da48de85b
SHA2563f8adc1e332dd5c252bbcf92bf6079b38a74d360d94979169206db34e6a24cd2
SHA512e9c216b9725bd419414155cfdd917f998aa41c463bc46a39e0c025aa030bc02a60c28ac00d03643c24472ffe20b8bbb5447c1a55ff07db3a41d6118b647a0003
-
Filesize
7KB
MD5b127d9187c6dbb1b948053c7c9a6811f
SHA1b3073c8cad22c87dd9b8f76b6ffd0c4d0a2010d9
SHA256bd1295d19d010d4866c9d6d87877913eee69e279d4d089e5756ba285f3424e00
SHA51288e447dd4db40e852d77016cfd24e09063490456c1426a779d33d8a06124569e26597bb1e46a3a2bbf78d9bffee46402c41f0ceb44970d92c69002880ddc0476
-
Filesize
52KB
MD5316999655fef30c52c3854751c663996
SHA1a7862202c3b075bdeb91c5e04fe5ff71907dae59
SHA256ea4ca740cd60d2c88280ff8115bf354876478ef27e9e676d8b66601b4e900ba0
SHA5125555673e9863127749fc240f09cf3fb46e2019b459ad198ba1dc356ba321c41e4295b6b2e2d67079421d7e6d2fb33542b81b0c7dae812fe8e1a87ded044edd44
-
Filesize
13KB
MD57070b77ed401307d2e9a0f8eaaaa543b
SHA1975d161ded55a339f6d0156647806d817069124d
SHA256225d227abbd45bf54d01dfc9fa6e54208bf5ae452a32cc75b15d86456a669712
SHA5121c2257c9f99cf7f794b30c87ed42e84a23418a74bd86d12795b5175439706417200b0e09e8214c6670ecd22bcbe615fcaa23a218f4ca822f3715116324ad8552
-
Filesize
2KB
MD57210d5407a2d2f52e851604666403024
SHA1242fde2a7c6a3eff245f06813a2e1bdcaa9f16d9
SHA256337d2fb5252fc532b7bf67476b5979d158ca2ac589e49c6810e2e1afebe296af
SHA5121755a26fa018429aea00ebcc786bb41b0d6c4d26d56cd3b88d886b0c0773d863094797334e72d770635ed29b98d4c8c7f0ec717a23a22adef705a1ccf46b3f68
-
Filesize
4KB
MD54be7661c89897eaa9b28dae290c3922f
SHA14c9d25195093fea7c139167f0c5a40e13f3000f2
SHA256e5e9f7c8dbd47134815e155ed1c7b261805eda6fddea6fa4ea78e0e4fb4f7fb5
SHA5122035b0d35a5b72f5ea5d5d0d959e8c36fc7ac37def40fa8653c45a49434cbe5e1c73aaf144cbfbefc5f832e362b63d00fc3157ca8a1627c3c1494c13a308fc7f
-
Filesize
161B
MD5ea7df060b402326b4305241f21f39736
SHA17d58fb4c58e0edb2ddceef4d21581ff9d512fdc2
SHA256e4edc2cb6317ab19ee1a6327993e9332af35cfbebaff2ac7c3f71d43cfcbe793
SHA5123147615add5608d0dce7a8b6efbfb19263c51a2e495df72abb67c6db34f5995a27fde55b5af78bbd5a6468b4065942cad4a4d3cb28ab932aad9b0f835aafe4d0
-
Filesize
46B
MD5f80e36cd406022944558d8a099db0fa7
SHA1fd7e93ca529ed760ff86278fbfa5ba0496e581ce
SHA2567b41e5a6c2dd92f60c38cb4fe09dcbe378c3e99443f7baf079ece3608497bdc7
SHA512436e711ede85a02cd87ea312652ddbf927cf8df776448326b1e974d0a3719a9535952f4d3cc0d3cd4e3551b57231d7e916f317b119ab670e5f47284a90ab59a2
-
Filesize
6.4MB
MD5fba93d8d029e85e0cde3759b7903cee2
SHA1525b1aa549188f4565c75ab69e51f927204ca384
SHA25666f62408dfce7c4a5718d2759f1d35721ca22077398850277d16e1fca87fe764
SHA5127c1441b2e804e925eb5a03e97db620117d3ad4f6981dc020e4e7df4bfc4bd6e414fa3b0ce764481a2cef07eebb2baa87407355bfbe88fab96397d82bd441e6a2
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e