hxxp://temp[.]sh/ennfh/trash_malware[.]zip

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Illerka.C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mbrsetup.exe

Windows security bypass 2 TTPs 3 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	antivirus-platinum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	antivirus-platinum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	antivirus-platinum.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components	INSTALLER.exe
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components	INSTALLER.exe
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found

Disables RegEdit via registry modification 1 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	antivirus-platinum.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Possible privilege escalation attempt 64 IoCs

exploit

pid	Process
1316	Process not Found
2600	Process not Found
1368	Process not Found
3632	icacls.exe
4580	Process not Found
996	Process not Found
464	Process not Found
1256	Process not Found
1992	Process not Found
3768	Process not Found
3252	takeown.exe
2992	icacls.exe
968	Process not Found
4728	Process not Found
4256	Process not Found
4716	Process not Found
1852	Process not Found
2840	Process not Found
4524	icacls.exe
4628	takeown.exe
3916	Process not Found
3532	Process not Found
3084	Process not Found
2492	Process not Found
4560	Process not Found
1548	Process not Found
4664	Process not Found
2756	Process not Found
412	Process not Found
1552	takeown.exe
4284	icacls.exe
4468	takeown.exe
2436	Process not Found
1304	Process not Found
1188	Process not Found
4468	Process not Found
3560	Process not Found
3812	Process not Found
4180	Process not Found
892	Process not Found
3176	Process not Found
4632	Process not Found
2644	Process not Found
4692	Process not Found
2720	Process not Found
4172	Process not Found
2380	Process not Found
3120	Process not Found
3868	Process not Found
4360	Process not Found
4576	Process not Found
788	Process not Found
3948	Process not Found
2396	Process not Found
4984	Process not Found
2540	Process not Found
1960	takeown.exe
3312	Process not Found
3028	Process not Found
420	Process not Found
3828	Process not Found
3088	Process not Found
2728	Process not Found
1172	takeown.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International\Geo\Nation	AntivirusPlatinum.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International\Geo\Nation	302746537.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International\Geo\Nation	Free YouTube Downloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International\Geo\Nation	XPAntivirus2008.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International\Geo\Nation	FreeYoutubeDownloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 42 IoCs

pid	Process
4396	Zika.exe
2700	IconDance.exe
4764	Illerka.C.exe
4624	FreeYoutubeDownloader.exe
1808	XPAntivirus2008.exe
2912	AntivirusPro2017.exe
1348	HappyAntivirus.exe
4372	svchost.exe
3024	AntivirusPlatinum.exe
2388	icons.exe
2808	Bonzify.exe
2536	Free YouTube Downloader.exe
5108	taskhost.exe
1536	mbrsetup.exe
1292	302746537.exe
3796	rhc9l0j0en3j.exe
3052	svchost.exe
5100	pphccl0j0en3j.exe
1924	taskhost.exe
4420	antivirus-platinum.exe
1932	svchost.exe
3676	taskhost.exe
1756	svchost.exe
4692	taskhost.exe
2992	svchost.exe
3244	svchost.exe
2464	taskhost.exe
2616	svchost.exe
968	taskhost.exe
4004	svchost.exe
3088	taskhost.exe
3608	INSTALLER.exe
4776	svchost.exe
2916	taskhost.exe
4728	AgentSvr.exe
4836	INSTALLER.exe
4796	svchost.exe
868	taskhost.exe
2828	svchost.exe
1020	AgentSvr.exe
2992	taskhost.exe
3340	Process not Found

Loads dropped DLL 27 IoCs

pid	Process
1808	XPAntivirus2008.exe
1808	XPAntivirus2008.exe
1808	XPAntivirus2008.exe
3796	rhc9l0j0en3j.exe
3796	rhc9l0j0en3j.exe
3796	rhc9l0j0en3j.exe
3796	rhc9l0j0en3j.exe
1980	regsvr32.exe
3088	regsvr32.exe
4420	antivirus-platinum.exe
3608	INSTALLER.exe
1932	regsvr32.exe
1100	regsvr32.exe
1268	regsvr32.exe
4668	regsvr32.exe
868	regsvr32.exe
4532	regsvr32.exe
3372	regsvr32.exe
4836	INSTALLER.exe
3696	regsvr32.exe
3696	regsvr32.exe
4248	regsvr32.exe
2808	Bonzify.exe
1020	AgentSvr.exe
1020	AgentSvr.exe
1020	AgentSvr.exe
3340	Process not Found

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1224	icacls.exe
3908	Process not Found
272	Process not Found
3256	Process not Found
4932	Process not Found
2432	Process not Found
4136	Process not Found
1244	Process not Found
1804	takeown.exe
4476	Process not Found
3964	Process not Found
1920	Process not Found
2216	Process not Found
4568	Process not Found
3172	Process not Found
4232	Process not Found
2804	Process not Found
4256	Process not Found
5044	Process not Found
3804	Process not Found
4128	Process not Found
3644	Process not Found
1388	Process not Found
2628	Process not Found
2096	Process not Found
1852	Process not Found
4184	Process not Found
4052	Process not Found
3868	Process not Found
4256	Process not Found
3952	Process not Found
3132	Process not Found
2892	Process not Found
4172	Process not Found
3420	Process not Found
4064	Process not Found
4792	Process not Found
2924	Process not Found
3236	Process not Found
3200	Process not Found
3188	Process not Found
2432	Process not Found
4112	Process not Found
3596	Process not Found
2440	Process not Found
1316	Process not Found
2036	Process not Found
4368	Process not Found
3892	Process not Found
5016	icacls.exe
968	takeown.exe
1016	Process not Found
3588	Process not Found
2692	Process not Found
2380	Process not Found
1676	Process not Found
3028	Process not Found
3236	Process not Found
3532	Process not Found
1512	Process not Found
756	takeown.exe
1264	Process not Found
3196	Process not Found
3588	Process not Found

Windows security modification 2 TTPs 3 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	antivirus-platinum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	antivirus-platinum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	antivirus-platinum.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiVirus Pro 2017 = "C:\\Users\\Admin\\Downloads\\trash_malware\\trash malware\\AntivirusPro2017.exe"	AntivirusPro2017.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet"	INSTALLER.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMrhc9l0j0en3j = "C:\\Program Files (x86)\\rhc9l0j0en3j\\rhc9l0j0en3j.exe"	XPAntivirus2008.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Free Youtube Downloader = "C:\\Windows\\Free Youtube Downloader\\Free Youtube Downloader\\Free YouTube Downloader.exe"	FreeYoutubeDownloader.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Illerka.C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Illerka.C.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mbrsetup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mbrsetup.exe

Enumerates connected drives 3 TTPs 61 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

defense_evasion privilege_escalation

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\Z:	AntivirusPro2017.exe
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\M:	AntivirusPro2017.exe
File opened (read-only)	\??\K:	AntivirusPro2017.exe
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\P:	AntivirusPro2017.exe
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\G:	AntivirusPro2017.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\V:	AntivirusPro2017.exe
File opened (read-only)	\??\H:	AntivirusPro2017.exe
File opened (read-only)	\??\T:	AntivirusPro2017.exe
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\S:	AntivirusPro2017.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\Q:	AntivirusPro2017.exe
File opened (read-only)	\??\J:	AntivirusPro2017.exe
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\R:	AntivirusPro2017.exe
File opened (read-only)	\??\O:	AntivirusPro2017.exe
File opened (read-only)	\??\U:	AntivirusPro2017.exe
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\W:	AntivirusPro2017.exe
File opened (read-only)	\??\X:	AntivirusPro2017.exe
File opened (read-only)	\??\Y:	AntivirusPro2017.exe
File opened (read-only)	\??\D:	AntivirusPro2017.exe
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\I:	AntivirusPro2017.exe
File opened (read-only)	\??\N:	AntivirusPro2017.exe
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\L:	AntivirusPro2017.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\F:	Process not Found

Power Settings 1 TTPs 3 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
3944	Process not Found
2120	Process not Found
1492	Process not Found

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	AntivirusPro2017.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\pphccl0j0en3j.exe	rhc9l0j0en3j.exe
File opened for modification	C:\Windows\SysWOW64\SETDCE9.tmp	INSTALLER.exe
File created	C:\Windows\SysWOW64\SETDCE9.tmp	INSTALLER.exe
File opened for modification	C:\Windows\SysWOW64\msvcp50.dll	INSTALLER.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000027f29-779.dat	upx
behavioral2/memory/1292-792-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4420-878-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/1292-888-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/1292-894-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4420-918-0x0000000000400000-0x000000000040D000-memory.dmp	upx

Drops file in Program Files directory 52 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.dll.sys.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.dll.sys.exe	Zika.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Zika.exe
File created	C:\Program Files (x86)\rhc9l0j0en3j\rhc9l0j0en3j.exe.local	XPAntivirus2008.exe
File created	C:\Program Files\7-Zip\7zFM.dll.sys.exe	Zika.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.dll.sys.exe	Zika.exe
File created	C:\Program Files\7-Zip\Uninstall.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.dll.sys.exe	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.dll.sys.exe	Zika.exe
File created	C:\Program Files (x86)\rhc9l0j0en3j\MFC71ENU.DLL	XPAntivirus2008.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.dll.sys.exe	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.dll.sys.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Zika.exe
File created	C:\Program Files (x86)\rhc9l0j0en3j\rhc9l0j0en3j.exe	XPAntivirus2008.exe
File opened for modification	C:\Program Files\7-Zip\7zG.dll.sys.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.dll.sys.exe	Zika.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	Zika.exe
File created	C:\Program Files\7-Zip\7zG.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Zika.exe
File created	C:\Program Files (x86)\rhc9l0j0en3j\database.dat	XPAntivirus2008.exe
File created	C:\Program Files\7-Zip\7z.exe	Zika.exe
File created	C:\Program Files (x86)\rhc9l0j0en3j\license.txt	XPAntivirus2008.exe
File created	C:\Program Files (x86)\rhc9l0j0en3j\Uninstall.exe	XPAntivirus2008.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.dll.sys.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.dll.sys.exe	Zika.exe
File created	C:\Program Files (x86)\rhc9l0j0en3j\MFC71.dll	XPAntivirus2008.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll.sys.exe	Zika.exe
File created	C:\Program Files (x86)\rhc9l0j0en3j\msvcr71.dll	XPAntivirus2008.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.dll.sys.exe	Zika.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Zika.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.dll.sys.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.dll.sys.exe	Zika.exe
File created	C:\Program Files (x86)\rhc9l0j0en3j\msvcp71.dll	XPAntivirus2008.exe
File created	C:\Program Files\7-Zip\Uninstall.dll.sys.exe	Zika.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.dll.sys.exe	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Zika.exe
File created	C:\Program Files\7-Zip\7z.dll.sys.exe	Zika.exe
File created	C:\Program Files\7-Zip\7zFM.exe	Zika.exe
File created	C:\Program Files\7-Zip\7zG.dll.sys.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.dll.sys.exe	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.dll.sys.exe	Zika.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\302746537.exe	AntivirusPlatinum.exe
File opened for modification	C:\Windows\302746537.exe	AntivirusPlatinum.exe
File opened for modification	C:\Windows\msagent\SETD5EF.tmp	INSTALLER.exe
File opened for modification	C:\Windows\help\SETD608.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\tvenuax.dll	INSTALLER.exe
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe	FreeYoutubeDownloader.exe
File created	C:\Windows\help\SETD608.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETD5F1.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETD605.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETD607.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETD5F1.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentDp2.dll	INSTALLER.exe
File created	C:\Windows\msagent\intl\SETD609.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETD5F0.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETD5F3.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentAnm.dll	INSTALLER.exe
File created	C:\Windows\msagent\SETD607.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\help\tv_enua.hlp	INSTALLER.exe
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe	FreeYoutubeDownloader.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_240811062	AntivirusPlatinum.exe
File opened for modification	C:\Windows\msagent\AgentCtl.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\intl\SETD609.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\SETDCE5.tmp	INSTALLER.exe
File opened for modification	C:\Windows\INF\SETD606.tmp	INSTALLER.exe
File created	C:\Windows\INF\SETDCE8.tmp	INSTALLER.exe
File created	C:\Windows\notepad.dll.sys.exe	Zika.exe
File opened for modification	C:\Windows\antivirus-platinum.exe	AntivirusPlatinum.exe
File opened for modification	C:\windows\antivirus-platinum.exe	attrib.exe
File opened for modification	C:\Windows\msagent\SETD5F2.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETD5F4.tmp	INSTALLER.exe
File created	C:\Windows\lhsp\help\SETDCE6.tmp	INSTALLER.exe
File created	C:\Windows\fonts\SETDCE7.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETD61A.tmp	INSTALLER.exe
File created	C:\Windows\lhsp\tv\SETDCE4.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\help\SETDCE6.tmp	INSTALLER.exe
File opened for modification	C:\Windows\fonts\andmoipa.ttf	INSTALLER.exe
File opened for modification	C:\Windows\INF\tv_enua.inf	INSTALLER.exe
File created	C:\Windows\MSCOMCTL.OCX	AntivirusPlatinum.exe
File created	C:\Windows\msagent\SETD5F2.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETD61A.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\SETDCE4.tmp	INSTALLER.exe
File opened for modification	C:\Windows\INF\agtinst.inf	INSTALLER.exe
File opened for modification	C:\Windows\msagent\mslwvtts.dll	INSTALLER.exe
File opened for modification	C:\Windows\notepad.dll.sys.exe	Zika.exe
File opened for modification	C:\Windows\System32	wscript.exe
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe	FreeYoutubeDownloader.exe
File created	C:\Windows\COMCTL32.OCX	AntivirusPlatinum.exe
File opened for modification	C:\Windows\COMCTL32.OCX	AntivirusPlatinum.exe
File opened for modification	C:\Windows\MSCOMCTL.OCX	AntivirusPlatinum.exe
File created	C:\Windows\msagent\SETD5EF.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentDPv.dll	INSTALLER.exe
File created	C:\Windows\msagent\SETD5F4.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentSR.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETD605.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\intl\Agt0409.dll	INSTALLER.exe
File created	C:\Windows\INF\SETD606.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgtCtl15.tlb	INSTALLER.exe
File created	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.ini	FreeYoutubeDownloader.exe
File opened for modification	C:\Windows\msagent\AgentSvr.exe	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentMPx.dll	INSTALLER.exe
File opened for modification	C:\Windows\INF\SETDCE8.tmp	INSTALLER.exe
File created	C:\Windows\finalDestruction.bin	Bonzify.exe
File created	C:\Windows\antivirus-platinum.exe	AntivirusPlatinum.exe
File created	C:\Windows\msagent\SETD5F0.tmp	INSTALLER.exe

Access Token Manipulation: Create Process with Token 1 TTPs 4 IoCs

Create Process with Token

T1134.002

pid	Process
1056	Process not Found
3944	Process not Found
780	Process not Found
2052	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3576	3340	Process not Found	2709
2280	1800	Process not Found	4362
1980	1972	Process not Found	7067
2068	4536	Process not Found	9643

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentSvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3940	Process not Found
996	Process not Found
2868	Process not Found
1304	cmd.exe
3996	cmd.exe
3008	cmd.exe
3356	Process not Found
1332	Process not Found
4824	Process not Found
4272	Process not Found
4848	Process not Found
5012	cmd.exe
1972	cmd.exe
2096	cmd.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000027eec-634.dat	nsis_installer_1
behavioral2/files/0x0007000000027eec-634.dat	nsis_installer_2
behavioral2/files/0x0008000000027f13-830.dat	nsis_installer_1
behavioral2/files/0x0008000000027f13-830.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Process not Found

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Kills process with taskkill 2 IoCs

pid	Process
1828	taskkill.exe
1012	Process not Found

Modifies Control Panel 8 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\Accessibility\Keyboard Response\Last Valid Delay = "0"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\Accessibility\MinimumHitRadius = "0"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\Cursors\Wait = "C:\\Windows\\cursors\\aero_busy.ani"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\PowerCfg\PowerPolicies\3\Description = "This scheme keeps the computer running to that it can be accessed from the network. Use this scheme if you do not have network wakeup hardware."	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International\s1159 = "Bolbi"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International\s2359 = "Bolbi"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\Accessibility\Keyboard Response\Flags = "126"	Process not Found

Modifies Internet Explorer settings 1 TTPs 19 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	antivirus-platinum.exe
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "YOUR PC MAY BE INFECTED WITH SPYWARE OR OTHER MALICIOUS ITEMS"	antivirus-platinum.exe
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\4\IEPropFontName = "Times New Roman"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Internet Explorer\GPU	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\26\IEPropFontName = "Simsun"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Internet Explorer\Main	antivirus-platinum.exe
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	Process not Found

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://secureservices2010.webs.com/scan"	antivirus-platinum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://secureservices2010.webs.com/scan"	antivirus-platinum.exe

Modifies data under HKEY_USERS 30 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\1.11 = 205c2256616c696461746553657373696f6e546f6b656e5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2243616e52756e4665617475726543616368655c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22506572666f726d4c6963656e73696e674e6f74696669636174696f6e735c22203a207b205c224576656e74466c61675c22203a20323536207d207d2c205c225375624e616d657370616365735c22203a207b205c224c5655585c22203a207b205c224576656e74735c22203a207b205c224e6f456e7469746c656d656e74735c232039207b205c224576656e74466c61675c22203a203439343038207d2c205c224e6f456e7469746c656d656e74734578706572696d656f74547269676765725c22203a207b205c224576656e74466c61675c22203a203439343038207d207d207d2c205c224f6666696365436c69656e744c6963656e73696e675c22203a207b205c224576656e74735c22203a207b205c224c6963656e7365436f6d706c657465645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224c6567616379416374697669747953756363657373436f756e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224c656761637941637469766974794661696c757265436f756e745c22203a207b205c224576656e74466c61675c22203a2032207d207d2c205c225375624e616d657370616365735c22203a207b205c22436c69656e745c22203a207b205c224576656e74735c22203a207b205c224653686f756c6441637469766174655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d2c205c224865617275626561745c22203a207b205c224576656e74735c22203a207b205c22577269746543616368655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225265616443616368655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22517569636b56616c69646174696f6e5c22203a207b205c224576656e74735c22203a207b205c224c6e61644c6963656e73655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c2246756c6c56616c69646174696f6e5c22203a207b205c224576656e74735c22203a207b205c224c6f61644c6963656e73655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c2250726f706572746965735c22203a207b205c224576656e74735c22203a207b205c224765744c6963656e736543617465676f72795c22203a207b205c224576656e74466b61675c22203a2032207d2c205c22546f6b656e697a654c6963656e736543617465676f726965735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225570646174654c6963656e736543617465676f726965735c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c224272616e64696e675c22203a207b205c224576656e74735c22203a207b205c2247657441707056616c75655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2247657450726f6475637456616c75655c22203a217b205c224576656e74466c61675c22203a2032207d2c205c2253686f756c645573654d6963726f736f66743336354272616e64696e675c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c2254656e616e745c22203a207b205c224576656e74735c22203a207b205c22496e697454656e616e7449645c22203a207b205c224576656e74466c61675c21203a2032207d207d207d2c205c224e756c5c22203a207b205c225375624e616d657370616365735c22203a207b205c22466574636865725c22203a207b205c224576656e74735c22203a207b205c224765744e756c4f626a656374466f724964656e746974795c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2246657463684d6f64656c46726f6d4f6c735c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224765744c6963656e73654665617475726573466f724964656e746974795c22203a207b205c224576656f74466c61675c22203a20323536207d2c205c2243726561746552657175657374426f64795c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224d6f64656c5c22203a207b205c224576656e74735c22203a207b205c224765744c6963656e736543617465676f72795c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22476574416c6c4c6963656e736543617465676f726965735c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22446573657269616c697a655c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c225061727365526177526573706f6e73655c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2243616e52756e46656174757265526573756c74735c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c224d6f64655c22203a207b205c224576656e74735c22203a207b205c224765744d6f64655c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c224170695c22203a207b205c224576656e74735c22203a207b205c22437265617465526570756573745c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2253656e64526571756573745c22203a207b205c224576656d74466c61675c22203a20323536207d2c205c2252656365697665526573706f6e73655c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c2253746f726167655c22203a207b205c224576656e74735c22203a207b205c2247657453746f72616765506174685c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224c6f61644d6f64656c735c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22476574556e766572696669656453746f72616765506174685c22203a207c205c224576656e74466c61675c22203a20323536207d2c205c224c6f61644d6f64656c5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2252656e616e6546696c65546f55736555706461746564486173685c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c2256616c69646174696f6e5c22203a207b205c224576656e74735c22203a207b205c22517569636b56616c69646174696f6e5c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c2256616c696461746f725c22203a207b205c224576656e74735c22203a207b205c224d61756368696e67486172776172656449645c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d207d207d2c205c22466c6f77735c22203a207b205c224576656e74735c22203a207b205c22536561726368466f72534241546f6b656e5c22203a207b205c224576656e74466c61675c23203a20323436207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e4d616e6167656162696c697479222c20225622203a20227374643a3a77737472696e677b7b205c225375624e616d657370616365735c22203a207b205c22536572766963655c22203a207b205c224576656e74735c22203a207b205d224170706c79506f6c6963795c22203a207b205c224576656e73466c61675c22203a2032207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e4d6f786965222c20225622203a20227374643a3a77737472696e677c7b205c224576656e74466c61675c22203a203438383936207d22207d2c207b20224622203a20224d6963726f736f66742f4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e4f6666696365222c20225622203a20227374643a3a77737472696e677c7b205c224c6f636b65645c22203a2066616c73652c205c225375624e616d657370616365735c22203a207b205c224e61747572616c4c616e67756167655c22203a207b205c224c6f636b65645c22203a2066616c73652c205c225375624f616d657370616365735c22203a207b205c224372697469717565735c22203a207b205c224c6f636b65645c22203a2066616c73652c205c224576656e74735c22203a207b205c2250726f636573734175676c6f6f704372697469717565735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2250726f636573734175676c6f6f7041646443726974697174655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e4f75746c6f6f6b222c20225622203a20227374643a3a77737472696e677c7b205c225375624e616d657370616365735c22203a207b205c224465736b746f705c22203a207b205c225375624e616d657370616365735c22203a207b205c2253796e635c22203a207b205c224576656e74735c22203a207b205c2253796e6350757267654f66666c696e654974656d735c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c1f5c2256696577735c22203a207b205c224576656e74735c22203a207b205c224872566965774c6f6164436f6d706c657465645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22566965774d6f64655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e506572666f726d616e6365222c20225622203a20227374643a3a77737472696e677c7b205c225375624e616d65736f616365735c22203a207b205c22506572665363656e6172696f5c22203a207b205c224576656e74735c22203a207b205c2253636f70655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e506572736f6e616c697a6174696f6e222c20225622203a20227374643a3a77737472696e677c7b205c225375624e616d657370616365735c22203a207b205c2246696c65496e736967687443616368654d616e616765725c22203a207b205c224576656e74735c22203a207b205c2250757267654578706972656443616369655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c225369676e616c50726f636573736f725c22203a207b205c224576656e74735c22203a207b205c2253656e645369676e616c5c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e50726f6772616d6d6162696c697479222c20225622203a20227374643a3a77737472696e677c7b205c225375624e616d657370616365735c22203a207b205c2254656c656d657472795c22203a207b205c224576656e74735c22203a207b205c22446e61416464496e4c6f6164586c6c46696c655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446e61416464496e4c6f616445787465726e606c446c6c5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446e61416464496e4c6f6164446e6146696c655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22416464696e43726173685c22203a207b205c224576656e74456c61675c22203a2032207d207d207d2c205c22416464696e735c22203a207b205c224576656e74735c22203a207b205c22417070416464496e4c6f61645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22417070416464496e55736167655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22416464696e446f634c6f61645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22496e7465726e616c536574436f6e6e6563745c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e5365637572697479222c20225622203a20227374643a3a77737472696e677c7b205c224576656e74735c22203a207b205c22436c70547279557067726164654c6162656c4761696c7572655c22203a207b205c224576656e74466c61675c22203a203438383936207d207d2c205c225375624e616d657370616365735c22203a207b205c22436c705c22203a207b205c224576656e74735c22203a207b205c224d616e6461746f72794c6162656c6c696e674469616c6f675c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2253656c6563744a757374696669636174696f6e4f7074696f6e5c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2253656e7369746976697479466c796f7574416e63686f72547261636b416e645265766f6b65427574746f6e436c69636b5c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c225265676973746572446f63756d656e745c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22436c70506f6c69637946657463685c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22436c70506f6c696379466574636843616c6c4261636b4661696c7572655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c224372656174654c6963656e736546726f6d53657269616c697a65644c6963656e73655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2250726f74656374696f6e53657269616c697a654c6963656e73655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2246657463684c6162656c7346726f6d5365727665725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2247657444656661756c744c6162656c49445c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224765744c6162656c735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224766744f7574636f6d6573466f724c6162656c4368616e67655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2250726f6365737341756469744f6e506f6c6963794d617463685c22203a207b205c224576656e74466c61675c22203a2033207d2c205c2250726f6365737341756469744f6e5265706c79466f72776172645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2250726f6365737341756469744f70656e48656c7065725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224765744275646974496e666f506e6c6963794d617463685c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224765744175646974496e676f4c6162656c416374696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224765744175646974496e666f46696c65406374696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224c6162656c696e67457870657269656e64655b22203a207b205c224576656e74466c61675c221f3a20323536207d2c205c224163644c6162656c4f627365727665725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2252656d6f76654c6162656c4f627365727665725c22203a207b205c224576656e74466c61675c22203a2032207d207d2c205c225375624e616d657370616365735c22203a207b205c22436c705c22203a1f7b205c224576656e74735c22203a207b205c22446b6550726f746563746564436f6e74656e745c22203a207b205c224576656e74466c61675c22203a203438383936207d207d207d207d207d2c205c22506f6c69637a546970735c22203a207b205c224576656e74735c22203a207b205c224d616e61676572436f6e74696e7565436c617373696669636174696f6e436c6173736966794368616e67655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436c617373696669636174696f6e436c6173736966794368616e67655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224d6163726f5c22203a207b205c224576656e74735c22203a207b205c22426c6f636b4d6163726f46726f6d496e7465726e6574506f6c69637953657474696e675c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22456e636f756e74657265645c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22456e61626c65645c22203a207b205d224576656e74466c62675c22203a20323536207d207d207d2c205c2246696c65426c6f636b5c22203a207b205c224576656e74735c22203a207b205c2246696c65426c6f636b496e666f726d6174696f6e5c22203a207b205c224576656e74456c61675c22203a20323536207d207d207d2c205c224f43585c22203a207b205c224576656e74735c22203a207b205c2254727573746564456e636f756e7465725c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224e6f6e54727573746564456e636f756e7465725c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22416363657373456e636f756e7465725c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c22426c6f636b6564657874656e73696f6e735c22203a207b205c234476656e74735c22203a207b205c2246696c65457874656e73696f6e4c69737446726f6d536572766963655c22203a207b205c224576656e74466c61675c22203a20323536207d217d207d2c205c22536563757265526561646572486f73745c22203a207b205c224576656e74735c22203a207b205c224f70656e496e4f53525c22203a207b205c224576656e74466c62675c22203a20323536207d207d207d207d207d22207d2c207b20214622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e54617267657465644d6573736167696e67222c20225622203a20227374643a3a77737472696e677c7b205c224576656e74735c22203a	Process not Found
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70\Intellegnt.Eudp = "0x00000001"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-20\Control Panel\International\User Profile System Backup\ShowShiftLock = "1"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:"	Process not Found
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%systemroot%\system32\FirewallControlPanel.dll,-12122 = "Windows Defender Firewall"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\HubOffSound\ = "Off"	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\knownfolder = "0"	Process not Found
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.WiFiNetworkManager\wnsId = "System"	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-20\Control Panel\PowerCfg\PowerPolicies\4\Policies = 01000000020000000100000000000000020000000000000000000000000000002c0100003232030304000000040000000000000000000000840300002c01000000000000840300000001646464640000	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Send To OneNote 2016 = "winspool,nul:"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main\Save_Session_History_On_Exit = "no"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-20\AppEvents\Schemes\Apps\.Default\DeviceConnect\.Default\ = "%SystemRoot%\\media\\Windows Hardware Insert.wav"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-20\Console\HistoryBufferSize = "50"	Process not Found
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\drivers\ndiscap.sys,-5000 = "Microsoft NDIS Capture"	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Process not Found
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.BackupReminder\wnsId = "System"	Process not Found
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	Process not Found
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.Calling\wnsId = "System"	Process not Found
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.HelloFace\Setting = "c:toast,c:ringing,s:tickle,s:toast,s:audio,s:badge,s:banner,s:lock:badge,s:listenerEnabled,s:lock:tile,s:lock:toast,s:tile,s:voip"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-19\Control Panel\International\s2359 = "PM"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-19\Control Panel\Sound\ExtendedSounds = "yes"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-20\AppEvents\Schemes\Apps\.Default\Notification.Looping.Call2\.Default\ = "%SystemRoot%\\media\\Ring02.wav"	Process not Found
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@appmgmts.dll,-3250 = "Application Management"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-19\Control Panel\Mouse\SmoothMouseYCurve = ff00000000000000fd11010000000000002404000000000000fc12000000000000c0bb0100000000	Process not Found
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Environment\LastCopiedConfigVersion = "16.000.28287.00"	Process not Found
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-19\AppEvents\Schemes\Apps\.Default\Notification.Looping.Call3\.Default\ = "%SystemRoot%\\media\\Rinh03.wav"	Process not Found
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\nsisvc.dll,-200 = "Network Store Interface Service"	Process not Found

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.ListViewCtrl.1	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{373FF7F4-EB8B-11CD-8820-08002B2F4F5A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8A7-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BA90C01-3910-11D1-ACB3-00C04FD97575}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE32-8596-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE8EF600-2F82-11D1-ACAC-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0713E8D0-850A-101B-AFC0-4210102A8DA7}\ = "IProgressBar10"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8556BCD2-E01E-11CF-8E74-00A0C90F26F8}\TypeLib\Version = "1.3"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1EFB6597-857C-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BE8-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "French Phone Converter"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C787A52-E01C-11CF-8E74-00A0C90F26F8}\ = "IPanel11"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B8F2846E-CE36-11D0-AC83-00C04FD97575}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0713E8B1-850A-101B-AFC0-4210102A8DA7}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FEB-8583-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BF0-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08C75162-3C9C-11D1-91FE-00C04FD701A5}\ = "IAgentNotifySinkEx"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{373FF7F0-EB8B-11CD-8820-08002B2F4F5A}\ProgID\ = "COMCTL.Slider.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B7E6390-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4D83603-895E-11D0-B0A6-000000000000}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C91-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C8B-7B81-11D0-AC5F-00C04FD97575}\TypeLib	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE3A-8596-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F26-8591-11D1-B16A-00C0F0283628}\ProxyStubClsid32	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9ED94441-E5E8-101B-B9B5-444553540000}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\ = "Microsoft ImageList Control 6.0 (SP4)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.Slider	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BDF-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C8D-7B81-11D0-AC5F-00C04FD97575}\TypeLib\Version = "2.0"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B7E638F-850A-101B-AFC0-4210102A8DA7}\ = "Microsoft StatusBar Control, version 5.0 (SP2)"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F08DF953-8592-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BD1-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\Version = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{373FF7F4-EB8B-11CD-8820-08002B2F4F5A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{373FF7F2-EB8B-11CD-8820-08002B2F4F5A}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3996797005-1442104920-3698332314-1000\{DC0243F2-57B8-4A68-BE70-4CDC20669782}	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ACBB957-5C57-11CF-8993-00AA00688B10}\ = "ListView Images Property Page Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EFB6594-857C-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F22-8591-11D1-B16A-00C0F0283628}\ = "ImageListEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA665-8594-11D1-B16A-00C0F0283628}\ProxyStubClsid32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BA90C00-3910-11D1-ACB3-00C04FD97575}\TypeLib	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58DA8D8A-9D6A-101B-AFC0-4210102A8DA7}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0713E8A2-850A-101B-AFC0-4210102A8DA7}\MiscStatus\1\ = "131473"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B7E6390-850A-101B-AFC0-4210102A8DA7}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDD1F04E-858B-11D1-B16A-00C0F0283628}\ = "IListItem"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BF877892-E026-11CF-8E74-00A0C90F26F8}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE39-8596-11D1-B16A-00C0F0283628}\ = "StatusBar General Property Page Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4D83603-895E-11D0-B0A6-000000000000}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867AA-8586-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8A1-850A-101B-AFC0-4210102A8DA7}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8D1-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BF877896-E026-11CF-8E74-00A0C90F26F8}\TypeLib	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C787A50-E01C-11CF-8E74-00A0C90F26F8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA664-8594-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48D12BA0-5B77-11D1-9EC1-00C04FD7081F}	AgentSvr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "409;9"	Process not Found

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\trash_malware.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3796	rhc9l0j0en3j.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	firefox.exe
Token: SeDebugPrivilege	2880	firefox.exe
Token: SeDebugPrivilege	2880	firefox.exe
Token: SeDebugPrivilege	2880	firefox.exe
Token: SeDebugPrivilege	2880	firefox.exe
Token: SeDebugPrivilege	2880	firefox.exe
Token: SeRestorePrivilege	1320	7zG.exe
Token: 35	1320	7zG.exe
Token: SeSecurityPrivilege	1320	7zG.exe
Token: SeSecurityPrivilege	1320	7zG.exe
Token: SeDebugPrivilege	4396	Zika.exe
Token: SeDebugPrivilege	4764	Illerka.C.exe
Token: SeDebugPrivilege	1536	mbrsetup.exe
Token: SeDebugPrivilege	1828	taskkill.exe
Token: SeDebugPrivilege	3796	rhc9l0j0en3j.exe
Token: SeTakeOwnershipPrivilege	4500	takeown.exe
Token: SeTakeOwnershipPrivilege	3708	takeown.exe
Token: SeTakeOwnershipPrivilege	1860	takeown.exe
Token: SeTakeOwnershipPrivilege	4816	takeown.exe
Token: SeTakeOwnershipPrivilege	3624	takeown.exe
Token: SeTakeOwnershipPrivilege	3908	takeown.exe
Token: SeTakeOwnershipPrivilege	5104	takeown.exe
Token: SeTakeOwnershipPrivilege	4564	takeown.exe
Token: SeTakeOwnershipPrivilege	1284	takeown.exe
Token: SeTakeOwnershipPrivilege	1552	takeown.exe
Token: SeTakeOwnershipPrivilege	1804	takeown.exe
Token: SeTakeOwnershipPrivilege	4504	takeown.exe
Token: 33	1020	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	1020	AgentSvr.exe
Token: SeTakeOwnershipPrivilege	900	takeown.exe
Token: SeTakeOwnershipPrivilege	3032	takeown.exe
Token: SeTakeOwnershipPrivilege	2892	takeown.exe
Token: SeTakeOwnershipPrivilege	2364	takeown.exe
Token: SeTakeOwnershipPrivilege	1676	takeown.exe
Token: SeTakeOwnershipPrivilege	3764	takeown.exe
Token: SeTakeOwnershipPrivilege	3832	takeown.exe
Token: SeTakeOwnershipPrivilege	3704	takeown.exe
Token: SeTakeOwnershipPrivilege	1912	takeown.exe
Token: SeTakeOwnershipPrivilege	3560	takeown.exe
Token: SeTakeOwnershipPrivilege	5116	takeown.exe
Token: SeTakeOwnershipPrivilege	3164	takeown.exe
Token: SeTakeOwnershipPrivilege	2396	takeown.exe
Token: SeTakeOwnershipPrivilege	4624	takeown.exe
Token: SeTakeOwnershipPrivilege	3696	takeown.exe
Token: SeTakeOwnershipPrivilege	1996	takeown.exe
Token: SeTakeOwnershipPrivilege	4636	takeown.exe
Token: SeTakeOwnershipPrivilege	1072	takeown.exe
Token: SeTakeOwnershipPrivilege	4472	takeown.exe
Token: 33	2076	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2076	AUDIODG.EXE
Token: SeTakeOwnershipPrivilege	2664	takeown.exe
Token: SeTakeOwnershipPrivilege	640	takeown.exe
Token: SeTakeOwnershipPrivilege	956	takeown.exe
Token: SeTakeOwnershipPrivilege	3432	takeown.exe
Token: SeTakeOwnershipPrivilege	3120	takeown.exe
Token: SeTakeOwnershipPrivilege	2864	takeown.exe
Token: SeTakeOwnershipPrivilege	188	takeown.exe
Token: SeTakeOwnershipPrivilege	3996	takeown.exe
Token: SeTakeOwnershipPrivilege	5008	takeown.exe
Token: SeTakeOwnershipPrivilege	3532	takeown.exe
Token: SeTakeOwnershipPrivilege	2532	takeown.exe
Token: SeTakeOwnershipPrivilege	2120	takeown.exe
Token: SeTakeOwnershipPrivilege	1316	takeown.exe
Token: SeTakeOwnershipPrivilege	4172	takeown.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
1320	7zG.exe
2912	AntivirusPro2017.exe
2912	AntivirusPro2017.exe
1348	HappyAntivirus.exe
2912	AntivirusPro2017.exe
2536	Free YouTube Downloader.exe
3796	rhc9l0j0en3j.exe
1020	AgentSvr.exe
1020	AgentSvr.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2912	AntivirusPro2017.exe
2912	AntivirusPro2017.exe
1348	HappyAntivirus.exe
2912	AntivirusPro2017.exe
2536	Free YouTube Downloader.exe
3796	rhc9l0j0en3j.exe
1020	AgentSvr.exe
1020	AgentSvr.exe
2912	AntivirusPro2017.exe
2912	AntivirusPro2017.exe
2912	AntivirusPro2017.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
1756	explorer.exe
1756	explorer.exe
1756	explorer.exe
1756	explorer.exe
1756	explorer.exe
1756	explorer.exe
3796	rhc9l0j0en3j.exe
1756	explorer.exe
1756	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2912	AntivirusPro2017.exe
2912	AntivirusPro2017.exe
3796	rhc9l0j0en3j.exe
3796	rhc9l0j0en3j.exe
3796	rhc9l0j0en3j.exe
4420	antivirus-platinum.exe
4032	StartMenuExperienceHost.exe
4508	TextInputHost.exe
4508	TextInputHost.exe
1800	SearchApp.exe
3572	StartMenuExperienceHost.exe
2868	TextInputHost.exe
2868	TextInputHost.exe
2164	SearchApp.exe
4120	StartMenuExperienceHost.exe
3256	TextInputHost.exe
3256	TextInputHost.exe
3816	SearchApp.exe
1692	Process not Found
3952	Process not Found
3952	Process not Found
3160	Process not Found
3740	Process not Found
4664	Process not Found
4664	Process not Found
5104	Process not Found
2080	Process not Found
2080	Process not Found
4548	Process not Found
3796	rhc9l0j0en3j.exe
4476	Process not Found
3932	Process not Found
4548	Process not Found
4548	Process not Found
3256	Process not Found
4364	Process not Found
4364	Process not Found
2364	Process not Found
1636	Process not Found
1372	Process not Found
1372	Process not Found
2432	Process not Found
8	Process not Found
4088	Process not Found
4088	Process not Found
4744	Process not Found
3112	Process not Found
3468	Process not Found
3468	Process not Found
2512	Process not Found
4412	Process not Found
1764	Process not Found
1764	Process not Found
3244	Process not Found
1756	Process not Found
3892	Process not Found
3892	Process not Found
4408	Process not Found
4136	Process not Found
2968	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 2880	4828	firefox.exe	84
PID 4828 wrote to memory of 2880	4828	firefox.exe	84
PID 4828 wrote to memory of 2880	4828	firefox.exe	84
PID 4828 wrote to memory of 2880	4828	firefox.exe	84
PID 4828 wrote to memory of 2880	4828	firefox.exe	84
PID 4828 wrote to memory of 2880	4828	firefox.exe	84
PID 4828 wrote to memory of 2880	4828	firefox.exe	84
PID 4828 wrote to memory of 2880	4828	firefox.exe	84
PID 4828 wrote to memory of 2880	4828	firefox.exe	84
PID 4828 wrote to memory of 2880	4828	firefox.exe	84
PID 4828 wrote to memory of 2880	4828	firefox.exe	84
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 1760	2880	firefox.exe	86
PID 2880 wrote to memory of 1760	2880	firefox.exe	86
PID 2880 wrote to memory of 1760	2880	firefox.exe	86
PID 2880 wrote to memory of 1760	2880	firefox.exe	86
PID 2880 wrote to memory of 1760	2880	firefox.exe	86
PID 2880 wrote to memory of 1760	2880	firefox.exe	86
PID 2880 wrote to memory of 1760	2880	firefox.exe	86
PID 2880 wrote to memory of 1760	2880	firefox.exe	86

System policy modification 1 TTPs 9 IoCs

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "ATTENTION!"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Your PC has been wrecked by Bolbi!"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Illerka.C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mbrsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	antivirus-platinum.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	antivirus-platinum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "67108863"	antivirus-platinum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	antivirus-platinum.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

Hidden Files and Directories

T1564.001

pid	Process
3060	attrib.exe

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://temp.sh/ennfh/trash_malware.zip"
1⤵
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://temp.sh/ennfh/trash_malware.zip
  2⤵
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1864 -prefMapHandle 1856 -prefsLen 27373 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6dfdb714-8f0b-4b71-aaa5-b4001ff9812f} 2880 "\\.\pipe\gecko-crash-server-pipe.2880" gpu
    3⤵
    PID:2808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2440 -parentBuildID 20240401114208 -prefsHandle 2416 -prefMapHandle 2412 -prefsLen 28293 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d90fcd83-519c-49df-816d-564ea8989abb} 2880 "\\.\pipe\gecko-crash-server-pipe.2880" socket
    3⤵
    - Checks processor information in registry
    PID:1760
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3248 -childID 1 -isForBrowser -prefsHandle 2840 -prefMapHandle 3148 -prefsLen 22684 -prefMapSize 244628 -jsInitHandle 1020 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9047b30e-6e4c-414c-a959-942f1685c7d3} 2880 "\\.\pipe\gecko-crash-server-pipe.2880" tab
    3⤵
    PID:3104
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3088 -childID 2 -isForBrowser -prefsHandle 4060 -prefMapHandle 4056 -prefsLen 32783 -prefMapSize 244628 -jsInitHandle 1020 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29550145-a723-45b9-b8b6-ce97a51d9417} 2880 "\\.\pipe\gecko-crash-server-pipe.2880" tab
    3⤵
    PID:1800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4892 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4924 -prefMapHandle 4920 -prefsLen 32783 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01a049da-0c90-45de-acc3-4ee7cf553444} 2880 "\\.\pipe\gecko-crash-server-pipe.2880" utility
    3⤵
    - Checks processor information in registry
    PID:4752
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5360 -childID 3 -isForBrowser -prefsHandle 5328 -prefMapHandle 5332 -prefsLen 26976 -prefMapSize 244628 -jsInitHandle 1020 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {445d2681-9301-40cf-bcbc-01162a5c8eeb} 2880 "\\.\pipe\gecko-crash-server-pipe.2880" tab
    3⤵
    PID:2220
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4780 -childID 4 -isForBrowser -prefsHandle 5632 -prefMapHandle 5532 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1020 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5671184f-3948-45d6-9d3e-43e48d07b49b} 2880 "\\.\pipe\gecko-crash-server-pipe.2880" tab
    3⤵
    PID:3744
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5828 -childID 5 -isForBrowser -prefsHandle 5848 -prefMapHandle 5860 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1020 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3fad686-4aa8-4dd2-a445-b74bb01b835a} 2880 "\\.\pipe\gecko-crash-server-pipe.2880" tab
    3⤵
    PID:1652
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5928 -childID 6 -isForBrowser -prefsHandle 5936 -prefMapHandle 5940 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1020 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {550850eb-02ad-4fdc-840f-bda255be9571} 2880 "\\.\pipe\gecko-crash-server-pipe.2880" tab
    3⤵
    PID:1348

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\trash_malware\" -spe -an -ai#7zMap16134:88:7zEvent27514
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1320

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\trash_malware\trash malware\stupidy fuckity malware.bat" "
1⤵
- Checks computer location settings
PID:3784
- C:\Windows\system32\msg.exe
  msg * you did a mistake...
  2⤵
  PID:984
- C:\Users\Admin\Downloads\trash_malware\trash malware\Zika.exe
  Zika.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4396
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe" -extract C:\Program Files\7-Zip\7z.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, icongroup,,
    3⤵
    - Executes dropped EXE
    PID:4372
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.res
    3⤵
    - Executes dropped EXE
    PID:5108
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe" -extract C:\Program Files\7-Zip\7zFM.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, icongroup,,
    3⤵
    - Executes dropped EXE
    PID:3052
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.res
    3⤵
    - Executes dropped EXE
    PID:1924
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe" -extract C:\Program Files\7-Zip\7zG.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, icongroup,,
    3⤵
    - Executes dropped EXE
    PID:1932
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.res
    3⤵
    - Executes dropped EXE
    PID:3676
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe" -extract C:\Program Files\7-Zip\Uninstall.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, icongroup,,
    3⤵
    - Executes dropped EXE
    PID:1756
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.res
    3⤵
    - Executes dropped EXE
    PID:4692
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe" -addoverwrite C:\Program Files\7-Zip\Uninstall.exe", "C:\Program Files\7-Zip\Uninstall.exe, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.res, icongroup,,
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2992
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe" -extract C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, icongroup,,
    3⤵
    - Executes dropped EXE
    PID:3244
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.res
    3⤵
    - Executes dropped EXE
    PID:2464
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe" -extract C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, icongroup,,
    3⤵
    - Executes dropped EXE
    PID:2616
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.res
    3⤵
    - Executes dropped EXE
    PID:968
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe" -extract C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, icongroup,,
    3⤵
    - Executes dropped EXE
    PID:4004
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.res
    3⤵
    - Executes dropped EXE
    PID:3088
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe" -extract C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, icongroup,,
    3⤵
    - Executes dropped EXE
    PID:4776
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.res
    3⤵
    - Executes dropped EXE
    PID:2916
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe" -extract C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, icongroup,,
    3⤵
    - Executes dropped EXE
    PID:4796
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.res
    3⤵
    - Executes dropped EXE
    PID:868
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe" -extract C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, icongroup,,
    3⤵
    - Executes dropped EXE
    PID:2828
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.res
    3⤵
    - Executes dropped EXE
    PID:2992
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\trash_malware\trash malware\Bolbi.vbs"
  2⤵
  - Checks computer location settings
  PID:900
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" "C:\Users\Admin\Downloads\trash_malware\trash malware\Bolbi.vbs" /elevated
    3⤵
    - Drops file in Windows directory
    - Modifies Control Panel
    - System policy modification
    PID:456
- C:\Users\Admin\Downloads\trash_malware\trash malware\IconDance.exe
  IconDance.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Users\Admin\Downloads\trash_malware\trash malware\Illerka.C.exe
  Illerka.C.exe
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:4764
- C:\Users\Admin\Downloads\trash_malware\trash malware\FreeYoutubeDownloader.exe
  FreeYoutubeDownloader.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  PID:4624
- - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
    "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2536
- C:\Users\Admin\Downloads\trash_malware\trash malware\XPAntivirus2008.exe
  XPAntivirus2008.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  PID:1808
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B C:\Users\Admin\AppData\Local\Temp\pin.vbs "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Antivirus XP 2008" "Antivirus XP 2008.lnk"
    3⤵
    - Checks computer location settings
    PID:2116
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B C:\Users\Admin\AppData\Local\Temp\pin.vbs "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Antivirus XP 2008" "Register Antivirus XP 2008.lnk"
    3⤵
    - Checks computer location settings
    PID:1860
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c kofi.bat "C:\Users\Admin\Downloads\trash_malware\trash malware\XPAntivirus2008.exe"
    3⤵
    PID:4392
- - C:\Program Files (x86)\rhc9l0j0en3j\rhc9l0j0en3j.exe
    "C:\Program Files (x86)\rhc9l0j0en3j\rhc9l0j0en3j.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:3796
  - - C:\Windows\SysWOW64\pphccl0j0en3j.exe
      "C:\Windows\system32\pphccl0j0en3j.exe"
      4⤵
      Executes dropped EXE
      PID:5100
- C:\Users\Admin\Downloads\trash_malware\trash malware\AntivirusPro2017.exe
  AntivirusPro2017.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2912
- C:\Users\Admin\Downloads\trash_malware\trash malware\HappyAntivirus.exe
  HappyAntivirus.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1348
- C:\Users\Admin\Downloads\trash_malware\trash malware\AntivirusPlatinum.exe
  AntivirusPlatinum.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:3024
- - C:\WINDOWS\302746537.exe
    "C:\WINDOWS\302746537.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:1292
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8445.tmp\302746537.bat" "
      4⤵
      PID:2644
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s c:\windows\comctl32.ocx
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:1980
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s c:\windows\mscomctl.ocx
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:3088
    - - \??\c:\windows\antivirus-platinum.exe
        
        c:\windows\antivirus-platinum.exe
        5⤵
        Windows security bypass
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4420
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h c:\windows\antivirus-platinum.exe
        5⤵
        Drops file in Windows directory
        Views/modifies file attributes
        
        PID:3060
- C:\Users\Admin\Downloads\trash_malware\trash malware\icons.exe
  icons.exe
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Users\Admin\Downloads\trash_malware\trash malware\Bonzify.exe
  Bonzify.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KillAgent.bat"
    3⤵
    PID:1552
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im AgentSvr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1828
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /r /d y /f C:\Windows\MsAgent
      4⤵
      PID:4172
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\MsAgent /c /t /grant "everyone":(f)
      4⤵
      PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\AuditShD.exe"
    3⤵
    PID:3572
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\AuditShD.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4500
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\AuditShD.exe" /grant "everyone":(f)
      4⤵
      PID:652
- - C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
    INSTALLER.exe /q
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:3608
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentCtl.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:1932
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentDPv.dll"
      4⤵
      Loads dropped DLL
      PID:1100
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\mslwvtts.dll"
      4⤵
      Loads dropped DLL
      PID:1268
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentDP2.dll"
      4⤵
      Loads dropped DLL
      PID:4668
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentMPx.dll"
      4⤵
      Loads dropped DLL
      PID:868
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentSR.dll"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:4532
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentPsh.dll"
      4⤵
      Loads dropped DLL
      PID:3372
  - - C:\Windows\msagent\AgentSvr.exe
      "C:\Windows\msagent\AgentSvr.exe" /regserver
      4⤵
      Executes dropped EXE
      Modifies registry class
      PID:4728
  - - C:\Windows\SysWOW64\grpconv.exe
      grpconv.exe -o
      4⤵
      PID:4480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\f\audit.exe"
    3⤵
    PID:2492
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\f\audit.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3708
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\f\audit.exe" /grant "everyone":(f)
      4⤵
      PID:1828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\f\AuditShD.exe"
    3⤵
    PID:2376
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\f\AuditShD.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1860
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\f\AuditShD.exe" /grant "everyone":(f)
      4⤵
      PID:3960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\f\Setup.exe"
    3⤵
    PID:1992
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\f\Setup.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4816
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\f\Setup.exe" /grant "everyone":(f)
      4⤵
      PID:3704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\r\audit.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:788
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\r\audit.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3624
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\r\audit.exe" /grant "everyone":(f)
      4⤵
      PID:1292
- - C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
    INSTALLER.exe /q
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:4836
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll
      4⤵
      Loads dropped DLL
      PID:3696
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:4248
  - - C:\Windows\SysWOW64\grpconv.exe
      grpconv.exe -o
      4⤵
      PID:4348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\r\AuditShD.exe"
    3⤵
    PID:3392
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\r\AuditShD.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3908
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\r\AuditShD.exe" /grant "everyone":(f)
      4⤵
      PID:2524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\r\Setup.exe"
    3⤵
    PID:1644
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\r\Setup.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5104
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\r\Setup.exe" /grant "everyone":(f)
      4⤵
      PID:4816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\Setup.exe"
    3⤵
    PID:652
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\Setup.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4564
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\Setup.exe" /grant "everyone":(f)
      4⤵
      PID:3048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\audit.exe"
    3⤵
    PID:4284
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\audit.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1284
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\audit.exe" /grant "everyone":(f)
      4⤵
      PID:1912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\AuditShD.exe"
    3⤵
    PID:3120
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\AuditShD.exe"
      4⤵
      Possible privilege escalation attempt
      Suspicious use of AdjustPrivilegeToken
      PID:1552
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\AuditShD.exe" /grant "everyone":(f)
      4⤵
      PID:348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\f\audit.exe"
    3⤵
    PID:2096
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\f\audit.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1804
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\f\audit.exe" /grant "everyone":(f)
      4⤵
      PID:5116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\f\AuditShD.exe"
    3⤵
    PID:1692
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\f\AuditShD.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4504
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\f\AuditShD.exe" /grant "everyone":(f)
      4⤵
      PID:4692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\f\Setup.exe"
    3⤵
    PID:4740
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\f\Setup.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:900
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\f\Setup.exe" /grant "everyone":(f)
      4⤵
      PID:4828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\r\audit.exe"
    3⤵
    PID:3532
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\r\audit.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3032
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\r\audit.exe" /grant "everyone":(f)
      4⤵
      PID:3696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\r\AuditShD.exe"
    3⤵
    PID:2120
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\r\AuditShD.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2892
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\r\AuditShD.exe" /grant "everyone":(f)
      4⤵
      PID:3784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\r\Setup.exe"
    3⤵
    PID:4472
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\r\Setup.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2364
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\r\Setup.exe" /grant "everyone":(f)
      4⤵
      PID:5016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\Setup.exe"
    3⤵
    PID:4660
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\Setup.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1676
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\Setup.exe" /grant "everyone":(f)
      4⤵
      PID:1100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-mbr2gpt_31bf3856ad364e35_10.0.19041.1237_none_6b74aa3973213895\f\MBR2GPT.EXE"
    3⤵
    PID:2024
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-mbr2gpt_31bf3856ad364e35_10.0.19041.1237_none_6b74aa3973213895\f\MBR2GPT.EXE"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3764
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-mbr2gpt_31bf3856ad364e35_10.0.19041.1237_none_6b74aa3973213895\f\MBR2GPT.EXE" /grant "everyone":(f)
      4⤵
      PID:5104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-mbr2gpt_31bf3856ad364e35_10.0.19041.1237_none_6b74aa3973213895\MBR2GPT.EXE"
    3⤵
    PID:3580
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-mbr2gpt_31bf3856ad364e35_10.0.19041.1237_none_6b74aa3973213895\MBR2GPT.EXE"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3832
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-mbr2gpt_31bf3856ad364e35_10.0.19041.1237_none_6b74aa3973213895\MBR2GPT.EXE" /grant "everyone":(f)
      4⤵
      PID:640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-mbr2gpt_31bf3856ad364e35_10.0.19041.1237_none_6b74aa3973213895\r\MBR2GPT.EXE"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4580
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-mbr2gpt_31bf3856ad364e35_10.0.19041.1237_none_6b74aa3973213895\r\MBR2GPT.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3704
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-mbr2gpt_31bf3856ad364e35_10.0.19041.1237_none_6b74aa3973213895\r\MBR2GPT.EXE" /grant "everyone":(f)
      4⤵
      PID:764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-mbr2gpt_31bf3856ad364e35_10.0.19041.4355_none_6b6c0e2373274b67\f\MBR2GPT.EXE"
    3⤵
    PID:1192
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-mbr2gpt_31bf3856ad364e35_10.0.19041.4355_none_6b6c0e2373274b67\f\MBR2GPT.EXE"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1912
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-mbr2gpt_31bf3856ad364e35_10.0.19041.4355_none_6b6c0e2373274b67\f\MBR2GPT.EXE" /grant "everyone":(f)
      4⤵
      Possible privilege escalation attempt
      PID:4524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-mbr2gpt_31bf3856ad364e35_10.0.19041.4355_none_6b6c0e2373274b67\MBR2GPT.EXE"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1784
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-mbr2gpt_31bf3856ad364e35_10.0.19041.4355_none_6b6c0e2373274b67\MBR2GPT.EXE"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3560
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-mbr2gpt_31bf3856ad364e35_10.0.19041.4355_none_6b6c0e2373274b67\MBR2GPT.EXE" /grant "everyone":(f)
      4⤵
      PID:4100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-mbr2gpt_31bf3856ad364e35_10.0.19041.4355_none_6b6c0e2373274b67\r\MBR2GPT.EXE"
    3⤵
    PID:2976
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-mbr2gpt_31bf3856ad364e35_10.0.19041.4355_none_6b6c0e2373274b67\r\MBR2GPT.EXE"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5116
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-mbr2gpt_31bf3856ad364e35_10.0.19041.4355_none_6b6c0e2373274b67\r\MBR2GPT.EXE" /grant "everyone":(f)
      4⤵
      PID:1920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_a9b815907b71fe1a\f\wowreg32.exe"
    3⤵
    PID:2096
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_a9b815907b71fe1a\f\wowreg32.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3164
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_a9b815907b71fe1a\f\wowreg32.exe" /grant "everyone":(f)
      4⤵
      PID:620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_a9b815907b71fe1a\r\wowreg32.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4504
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_a9b815907b71fe1a\r\wowreg32.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2396
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_a9b815907b71fe1a\r\wowreg32.exe" /grant "everyone":(f)
      4⤵
      PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_a9b815907b71fe1a\wowreg32.exe"
    3⤵
    PID:4744
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_a9b815907b71fe1a\wowreg32.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4624
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_a9b815907b71fe1a\wowreg32.exe" /grant "everyone":(f)
      4⤵
      PID:4740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.4355_none_a9af797a7b7810ec\f\wowreg32.exe"
    3⤵
    PID:4144
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.4355_none_a9af797a7b7810ec\f\wowreg32.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3696
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.4355_none_a9af797a7b7810ec\f\wowreg32.exe" /grant "everyone":(f)
      4⤵
      PID:3532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.4355_none_a9af797a7b7810ec\r\wowreg32.exe"
    3⤵
    PID:1524
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.4355_none_a9af797a7b7810ec\r\wowreg32.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1996
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.4355_none_a9af797a7b7810ec\r\wowreg32.exe" /grant "everyone":(f)
      4⤵
      PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.4355_none_a9af797a7b7810ec\wowreg32.exe"
    3⤵
    PID:2908
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.4355_none_a9af797a7b7810ec\wowreg32.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4636
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.4355_none_a9af797a7b7810ec\wowreg32.exe" /grant "everyone":(f)
      4⤵
      System Location Discovery: System Language Discovery
      PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setupcl_31bf3856ad364e35_10.0.19041.1_none_0ea013578aa5744f\setupcl.exe"
    3⤵
    PID:4004
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setupcl_31bf3856ad364e35_10.0.19041.1_none_0ea013578aa5744f\setupcl.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1072
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setupcl_31bf3856ad364e35_10.0.19041.1_none_0ea013578aa5744f\setupcl.exe" /grant "everyone":(f)
      4⤵
      PID:4784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setupcl_31bf3856ad364e35_10.0.19041.3636_none_cd469c97a09c620a\f\setupcl.exe"
    3⤵
    PID:1916
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setupcl_31bf3856ad364e35_10.0.19041.3636_none_cd469c97a09c620a\f\setupcl.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4472
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setupcl_31bf3856ad364e35_10.0.19041.3636_none_cd469c97a09c620a\f\setupcl.exe" /grant "everyone":(f)
      4⤵
      PID:1100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setupcl_31bf3856ad364e35_10.0.19041.3636_none_cd469c97a09c620a\r\setupcl.exe"
    3⤵
    PID:4720
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setupcl_31bf3856ad364e35_10.0.19041.3636_none_cd469c97a09c620a\r\setupcl.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2664
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setupcl_31bf3856ad364e35_10.0.19041.3636_none_cd469c97a09c620a\r\setupcl.exe" /grant "everyone":(f)
      4⤵
      PID:4500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setupcl_31bf3856ad364e35_10.0.19041.3636_none_cd469c97a09c620a\setupcl.exe"
    3⤵
    PID:3392
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setupcl_31bf3856ad364e35_10.0.19041.3636_none_cd469c97a09c620a\setupcl.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:640
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setupcl_31bf3856ad364e35_10.0.19041.3636_none_cd469c97a09c620a\setupcl.exe" /grant "everyone":(f)
      4⤵
      PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setx_31bf3856ad364e35_10.0.19041.1_none_6267e352b86de969\setx.exe"
    3⤵
    PID:1800
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setx_31bf3856ad364e35_10.0.19041.1_none_6267e352b86de969\setx.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:956
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setx_31bf3856ad364e35_10.0.19041.1_none_6267e352b86de969\setx.exe" /grant "everyone":(f)
      4⤵
      PID:652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.4522_none_796f2211fe991df8\f\icsunattend.exe"
    3⤵
    PID:3160
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.4522_none_796f2211fe991df8\f\icsunattend.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3432
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.4522_none_796f2211fe991df8\f\icsunattend.exe" /grant "everyone":(f)
      4⤵
      PID:4296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.4522_none_796f2211fe991df8\icsunattend.exe"
    3⤵
    PID:2028
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.4522_none_796f2211fe991df8\icsunattend.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3120
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.4522_none_796f2211fe991df8\icsunattend.exe" /grant "everyone":(f)
      4⤵
      PID:1492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.4522_none_796f2211fe991df8\r\icsunattend.exe"
    3⤵
    PID:1552
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.4522_none_796f2211fe991df8\r\icsunattend.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2864
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.4522_none_796f2211fe991df8\r\icsunattend.exe" /grant "everyone":(f)
      4⤵
      PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\f\icsunattend.exe"
    3⤵
    PID:1972
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\f\icsunattend.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:188
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\f\icsunattend.exe" /grant "everyone":(f)
      4⤵
      PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\icsunattend.exe"
    3⤵
    PID:2644
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\icsunattend.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3996
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\icsunattend.exe" /grant "everyone":(f)
      4⤵
      PID:3080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\r\icsunattend.exe"
    3⤵
    PID:2176
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\r\icsunattend.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5008
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\r\icsunattend.exe" /grant "everyone":(f)
      4⤵
      PID:3248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.3636_none_2cb4cb9be6df2714\shrpubw.exe"
    3⤵
    PID:4828
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.3636_none_2cb4cb9be6df2714\shrpubw.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3532
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.3636_none_2cb4cb9be6df2714\shrpubw.exe" /grant "everyone":(f)
      4⤵
      PID:60
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_96167fa49059f7a3\shrpubw.exe"
    3⤵
    PID:3632
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_96167fa49059f7a3\shrpubw.exe"
      4⤵
      PID:3936
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_96167fa49059f7a3\shrpubw.exe" /grant "everyone":(f)
      4⤵
      PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shell-customshellhost_31bf3856ad364e35_10.0.19041.1202_none_fd57358454385601\CustomShellHost.exe"
    3⤵
    PID:3968
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shell-customshellhost_31bf3856ad364e35_10.0.19041.1202_none_fd57358454385601\CustomShellHost.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2532
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shell-customshellhost_31bf3856ad364e35_10.0.19041.1202_none_fd57358454385601\CustomShellHost.exe" /grant "everyone":(f)
      4⤵
      PID:1960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shell-customshellhost_31bf3856ad364e35_10.0.19041.1202_none_fd57358454385601\n\CustomShellHost.exe"
    3⤵
    PID:2828
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shell-customshellhost_31bf3856ad364e35_10.0.19041.1202_none_fd57358454385601\n\CustomShellHost.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2120
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shell-customshellhost_31bf3856ad364e35_10.0.19041.1202_none_fd57358454385601\n\CustomShellHost.exe" /grant "everyone":(f)
      4⤵
      PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shell-customshellhost_31bf3856ad364e35_10.0.19041.4474_none_fd486fd4544269fb\CustomShellHost.exe"
    3⤵
    PID:824
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shell-customshellhost_31bf3856ad364e35_10.0.19041.4474_none_fd486fd4544269fb\CustomShellHost.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1316
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shell-customshellhost_31bf3856ad364e35_10.0.19041.4474_none_fd486fd4544269fb\CustomShellHost.exe" /grant "everyone":(f)
      4⤵
      PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shell-customshellhost_31bf3856ad364e35_10.0.19041.4474_none_fd486fd4544269fb\n\CustomShellHost.exe"
    3⤵
    PID:1860
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shell-customshellhost_31bf3856ad364e35_10.0.19041.4474_none_fd486fd4544269fb\n\CustomShellHost.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4172
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shell-customshellhost_31bf3856ad364e35_10.0.19041.4474_none_fd486fd4544269fb\n\CustomShellHost.exe" /grant "everyone":(f)
      4⤵
      PID:1940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shell-oneoffs-em_31bf3856ad364e35_10.0.19041.4355_none_666d6508fc334819\EM.exe"
    3⤵
    PID:1840
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shell-oneoffs-em_31bf3856ad364e35_10.0.19041.4355_none_666d6508fc334819\EM.exe"
      4⤵
      PID:4660
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shell-oneoffs-em_31bf3856ad364e35_10.0.19041.4355_none_666d6508fc334819\EM.exe" /grant "everyone":(f)
      4⤵
      PID:2276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shell-oneoffs-em_31bf3856ad364e35_10.0.19041.4355_none_666d6508fc334819\n\EM.exe"
    3⤵
    PID:4816
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shell-oneoffs-em_31bf3856ad364e35_10.0.19041.4355_none_666d6508fc334819\n\EM.exe"
      4⤵
      PID:1056
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shell-oneoffs-em_31bf3856ad364e35_10.0.19041.4355_none_666d6508fc334819\n\EM.exe" /grant "everyone":(f)
      4⤵
      PID:764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shell-oobe-maintenance_31bf3856ad364e35_10.0.19041.4355_none_ded90f1a0a65795b\n\OOBE-Maintenance.exe"
    3⤵
    PID:644
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shell-oobe-maintenance_31bf3856ad364e35_10.0.19041.4355_none_ded90f1a0a65795b\n\OOBE-Maintenance.exe"
      4⤵
      PID:3572
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shell-oobe-maintenance_31bf3856ad364e35_10.0.19041.4355_none_ded90f1a0a65795b\n\OOBE-Maintenance.exe" /grant "everyone":(f)
      4⤵
      PID:892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shell-oobe-maintenance_31bf3856ad364e35_10.0.19041.4355_none_ded90f1a0a65795b\OOBE-Maintenance.exe"
    3⤵
    PID:576
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shell-oobe-maintenance_31bf3856ad364e35_10.0.19041.4355_none_ded90f1a0a65795b\OOBE-Maintenance.exe"
      4⤵
      PID:4224
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shell-oobe-maintenance_31bf3856ad364e35_10.0.19041.4355_none_ded90f1a0a65795b\OOBE-Maintenance.exe" /grant "everyone":(f)
      4⤵
      PID:4028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.4355_none_b7f784ecb618dc76\f\prevhost.exe"
    3⤵
    PID:3120
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.4355_none_b7f784ecb618dc76\f\prevhost.exe"
      4⤵
      PID:1992
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.4355_none_b7f784ecb618dc76\f\prevhost.exe" /grant "everyone":(f)
      4⤵
      PID:1132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.4355_none_b7f784ecb618dc76\prevhost.exe"
    3⤵
    PID:4656
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.4355_none_b7f784ecb618dc76\prevhost.exe"
      4⤵
      PID:1552
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.4355_none_b7f784ecb618dc76\prevhost.exe" /grant "everyone":(f)
      4⤵
      PID:3756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.4355_none_b7f784ecb618dc76\r\prevhost.exe"
    3⤵
    PID:3984
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.4355_none_b7f784ecb618dc76\r\prevhost.exe"
      4⤵
      PID:1972
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.4355_none_b7f784ecb618dc76\r\prevhost.exe" /grant "everyone":(f)
      4⤵
      PID:4848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2136afef5fadeaa4\f\prevhost.exe"
    3⤵
    PID:1808
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2136afef5fadeaa4\f\prevhost.exe"
      4⤵
      PID:1292
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2136afef5fadeaa4\f\prevhost.exe" /grant "everyone":(f)
      4⤵
      PID:2044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2136afef5fadeaa4\prevhost.exe"
    3⤵
    PID:4740
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2136afef5fadeaa4\prevhost.exe"
      4⤵
      PID:1756
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2136afef5fadeaa4\prevhost.exe" /grant "everyone":(f)
      4⤵
      PID:2116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2136afef5fadeaa4\r\prevhost.exe"
    3⤵
    PID:3032
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2136afef5fadeaa4\r\prevhost.exe"
      4⤵
      PID:3532
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2136afef5fadeaa4\r\prevhost.exe" /grant "everyone":(f)
      4⤵
      PID:272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shell-shellappruntime_31bf3856ad364e35_10.0.19041.4474_none_875e2eb4b0787675\n\ShellAppRuntime.exe"
    3⤵
    PID:4644
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shell-shellappruntime_31bf3856ad364e35_10.0.19041.4474_none_875e2eb4b0787675\n\ShellAppRuntime.exe"
      4⤵
      PID:3632
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shell-shellappruntime_31bf3856ad364e35_10.0.19041.4474_none_875e2eb4b0787675\n\ShellAppRuntime.exe" /grant "everyone":(f)
      4⤵
      PID:5104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shell-shellappruntime_31bf3856ad364e35_10.0.19041.4474_none_875e2eb4b0787675\ShellAppRuntime.exe"
    3⤵
    PID:3024
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shell-shellappruntime_31bf3856ad364e35_10.0.19041.4474_none_875e2eb4b0787675\ShellAppRuntime.exe"
      4⤵
      Possible privilege escalation attempt
      PID:3252
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shell-shellappruntime_31bf3856ad364e35_10.0.19041.4474_none_875e2eb4b0787675\ShellAppRuntime.exe" /grant "everyone":(f)
      4⤵
      PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.4355_none_8b325cf5d836a14f\f\sihost.exe"
    3⤵
    PID:4248
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.4355_none_8b325cf5d836a14f\f\sihost.exe"
      4⤵
      PID:2916
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.4355_none_8b325cf5d836a14f\f\sihost.exe" /grant "everyone":(f)
      4⤵
      PID:1388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.4355_none_8b325cf5d836a14f\r\sihost.exe"
    3⤵
    PID:420
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.4355_none_8b325cf5d836a14f\r\sihost.exe"
      4⤵
      PID:1720
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.4355_none_8b325cf5d836a14f\r\sihost.exe" /grant "everyone":(f)
      4⤵
      PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.4355_none_8b325cf5d836a14f\sihost.exe"
    3⤵
    PID:4092
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.4355_none_8b325cf5d836a14f\sihost.exe"
      4⤵
      PID:1860
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.4355_none_8b325cf5d836a14f\sihost.exe" /grant "everyone":(f)
      4⤵
      PID:4132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.746_none_f47187f881cbaf7d\f\sihost.exe"
    3⤵
    PID:4660
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.746_none_f47187f881cbaf7d\f\sihost.exe"
      4⤵
      PID:4720
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.746_none_f47187f881cbaf7d\f\sihost.exe" /grant "everyone":(f)
      4⤵
      PID:4480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.746_none_f47187f881cbaf7d\r\sihost.exe"
    3⤵
    PID:404
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.746_none_f47187f881cbaf7d\r\sihost.exe"
      4⤵
      PID:2024
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.746_none_f47187f881cbaf7d\r\sihost.exe" /grant "everyone":(f)
      4⤵
      PID:4460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.746_none_f47187f881cbaf7d\sihost.exe"
    3⤵
    PID:3572
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.746_none_f47187f881cbaf7d\sihost.exe"
      4⤵
      PID:1684
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.746_none_f47187f881cbaf7d\sihost.exe" /grant "everyone":(f)
      4⤵
      PID:4468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shutdown-event-tracker_31bf3856ad364e35_10.0.19041.1_none_b8c5253467557e69\shutdown.exe"
    3⤵
    PID:4100
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shutdown-event-tracker_31bf3856ad364e35_10.0.19041.1_none_b8c5253467557e69\shutdown.exe"
      4⤵
      PID:5012
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shutdown-event-tracker_31bf3856ad364e35_10.0.19041.1_none_b8c5253467557e69\shutdown.exe" /grant "everyone":(f)
      4⤵
      PID:2432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sigverif_31bf3856ad364e35_10.0.19041.1_none_718a91e09abc2926\sigverif.exe"
    3⤵
    PID:1564
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sigverif_31bf3856ad364e35_10.0.19041.1_none_718a91e09abc2926\sigverif.exe"
      4⤵
      PID:1304
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sigverif_31bf3856ad364e35_10.0.19041.1_none_718a91e09abc2926\sigverif.exe" /grant "everyone":(f)
      4⤵
      PID:5072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-slidetoshutdown_31bf3856ad364e35_10.0.19041.1_none_4a1699e73b1ad297\SlideToShutDown.exe"
    3⤵
    PID:4408
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-slidetoshutdown_31bf3856ad364e35_10.0.19041.1_none_4a1699e73b1ad297\SlideToShutDown.exe"
      4⤵
      PID:2864
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-slidetoshutdown_31bf3856ad364e35_10.0.19041.1_none_4a1699e73b1ad297\SlideToShutDown.exe" /grant "everyone":(f)
      4⤵
      PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.1052_none_323c9a9ad543e3a3\f\smartscreen.exe"
    3⤵
    PID:4372
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.1052_none_323c9a9ad543e3a3\f\smartscreen.exe"
      4⤵
      PID:4732
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.1052_none_323c9a9ad543e3a3\f\smartscreen.exe" /grant "everyone":(f)
      4⤵
      PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.1052_none_323c9a9ad543e3a3\r\smartscreen.exe"
    3⤵
    PID:900
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.1052_none_323c9a9ad543e3a3\r\smartscreen.exe"
      4⤵
      PID:4388
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.1052_none_323c9a9ad543e3a3\r\smartscreen.exe" /grant "everyone":(f)
      4⤵
      PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.1052_none_323c9a9ad543e3a3\smartscreen.exe"
    3⤵
    PID:1988
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.1052_none_323c9a9ad543e3a3\smartscreen.exe"
      4⤵
      PID:1764
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.1052_none_323c9a9ad543e3a3\smartscreen.exe" /grant "everyone":(f)
      4⤵
      PID:4828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.4474_none_321333a0d562b0cc\f\smartscreen.exe"
    3⤵
    PID:1280
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.4474_none_321333a0d562b0cc\f\smartscreen.exe"
      4⤵
      PID:60
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.4474_none_321333a0d562b0cc\f\smartscreen.exe" /grant "everyone":(f)
      4⤵
      PID:3488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.4474_none_321333a0d562b0cc\r\smartscreen.exe"
    3⤵
    PID:3832
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.4474_none_321333a0d562b0cc\r\smartscreen.exe"
      4⤵
      PID:3440
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.4474_none_321333a0d562b0cc\r\smartscreen.exe" /grant "everyone":(f)
      4⤵
      PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.4474_none_321333a0d562b0cc\smartscreen.exe"
    3⤵
    PID:3252
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.4474_none_321333a0d562b0cc\smartscreen.exe"
      4⤵
      PID:3024
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.4474_none_321333a0d562b0cc\smartscreen.exe" /grant "everyone":(f)
      4⤵
      PID:4024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.3636_none_f2f86d069e1fe195\f\smss.exe"
    3⤵
    PID:4776
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.3636_none_f2f86d069e1fe195\f\smss.exe"
      4⤵
      PID:2908
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.3636_none_f2f86d069e1fe195\f\smss.exe" /grant "everyone":(f)
      4⤵
      PID:3124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.3636_none_f2f86d069e1fe195\r\smss.exe"
    3⤵
    PID:4784
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.3636_none_f2f86d069e1fe195\r\smss.exe"
      4⤵
      PID:1816
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.3636_none_f2f86d069e1fe195\r\smss.exe" /grant "everyone":(f)
      4⤵
      PID:3436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.3636_none_f2f86d069e1fe195\smss.exe"
    3⤵
    PID:708
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.3636_none_f2f86d069e1fe195\smss.exe"
      4⤵
      PID:4092
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.3636_none_f2f86d069e1fe195\smss.exe" /grant "everyone":(f)
      4⤵
      PID:2276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.964_none_5c42846f47acb1a6\f\smss.exe"
    3⤵
    PID:4424
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.964_none_5c42846f47acb1a6\f\smss.exe"
      4⤵
      PID:4660
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.964_none_5c42846f47acb1a6\f\smss.exe" /grant "everyone":(f)
      4⤵
      PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.964_none_5c42846f47acb1a6\r\smss.exe"
    3⤵
    PID:1644
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.964_none_5c42846f47acb1a6\r\smss.exe"
      4⤵
      PID:2080
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.964_none_5c42846f47acb1a6\r\smss.exe" /grant "everyone":(f)
      4⤵
      PID:4108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.964_none_5c42846f47acb1a6\smss.exe"
    3⤵
    PID:652
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.964_none_5c42846f47acb1a6\smss.exe"
      4⤵
      PID:4580
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.964_none_5c42846f47acb1a6\smss.exe" /grant "everyone":(f)
      4⤵
      PID:4552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.4355_none_0e7e21f93edd2a79\f\SnippingTool.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:5012
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.4355_none_0e7e21f93edd2a79\f\SnippingTool.exe"
      4⤵
      PID:1192
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.4355_none_0e7e21f93edd2a79\f\SnippingTool.exe" /grant "everyone":(f)
      4⤵
      PID:4788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.4355_none_0e7e21f93edd2a79\r\SnippingTool.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1304
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.4355_none_0e7e21f93edd2a79\r\SnippingTool.exe"
      4⤵
      PID:2028
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.4355_none_0e7e21f93edd2a79\r\SnippingTool.exe" /grant "everyone":(f)
      4⤵
      PID:4128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.4355_none_0e7e21f93edd2a79\SnippingTool.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1972
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4656
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.4355_none_0e7e21f93edd2a79\SnippingTool.exe"
      4⤵
      PID:1692
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.4355_none_0e7e21f93edd2a79\SnippingTool.exe" /grant "everyone":(f)
      4⤵
      PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.746_none_77bd4cfbe87238a7\f\SnippingTool.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2096
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.746_none_77bd4cfbe87238a7\f\SnippingTool.exe"
      4⤵
      PID:4900
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.746_none_77bd4cfbe87238a7\f\SnippingTool.exe" /grant "everyone":(f)
      4⤵
      PID:4624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.746_none_77bd4cfbe87238a7\r\SnippingTool.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3996
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.746_none_77bd4cfbe87238a7\r\SnippingTool.exe"
      4⤵
      PID:2044
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.746_none_77bd4cfbe87238a7\r\SnippingTool.exe" /grant "everyone":(f)
      4⤵
      PID:3492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.746_none_77bd4cfbe87238a7\SnippingTool.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3008
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.746_none_77bd4cfbe87238a7\SnippingTool.exe"
      4⤵
      PID:2116
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.746_none_77bd4cfbe87238a7\SnippingTool.exe" /grant "everyone":(f)
      4⤵
      PID:1116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-snmp-trap-service_31bf3856ad364e35_10.0.19041.1_none_857c0c60dec56103\snmptrap.exe"
    3⤵
    PID:3116
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-snmp-trap-service_31bf3856ad364e35_10.0.19041.1_none_857c0c60dec56103\snmptrap.exe"
      4⤵
      PID:4696
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-snmp-trap-service_31bf3856ad364e35_10.0.19041.1_none_857c0c60dec56103\snmptrap.exe" /grant "everyone":(f)
      4⤵
      PID:3632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sort_31bf3856ad364e35_10.0.19041.1_none_61af30d6b8e070e1\sort.exe"
    3⤵
    PID:3908
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sort_31bf3856ad364e35_10.0.19041.1_none_61af30d6b8e070e1\sort.exe"
      4⤵
      PID:3256
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sort_31bf3856ad364e35_10.0.19041.1_none_61af30d6b8e070e1\sort.exe" /grant "everyone":(f)
      4⤵
      Possible privilege escalation attempt
      PID:2992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.1151_none_f0b5afbf42eaff75\f\Spectrum.exe"
    3⤵
    PID:2828
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.1151_none_f0b5afbf42eaff75\f\Spectrum.exe"
      4⤵
      PID:2892
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.1151_none_f0b5afbf42eaff75\f\Spectrum.exe" /grant "everyone":(f)
      4⤵
      PID:4348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.1151_none_f0b5afbf42eaff75\r\Spectrum.exe"
    3⤵
    PID:3124
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.1151_none_f0b5afbf42eaff75\r\Spectrum.exe"
      4⤵
      PID:4396
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.1151_none_f0b5afbf42eaff75\r\Spectrum.exe" /grant "everyone":(f)
      4⤵
      PID:824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.1151_none_f0b5afbf42eaff75\Spectrum.exe"
    3⤵
    PID:1916
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.1151_none_f0b5afbf42eaff75\Spectrum.exe"
      4⤵
      PID:3536
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.1151_none_f0b5afbf42eaff75\Spectrum.exe" /grant "everyone":(f)
      4⤵
      PID:1100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.4522_none_f0875e1b430e344a\f\Spectrum.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3892
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.4522_none_f0875e1b430e344a\f\Spectrum.exe"
      4⤵
      PID:4836
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.4522_none_f0875e1b430e344a\f\Spectrum.exe" /grant "everyone":(f)
      4⤵
      PID:4720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.4522_none_f0875e1b430e344a\r\Spectrum.exe"
    3⤵
    PID:2476
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.4522_none_f0875e1b430e344a\r\Spectrum.exe"
      4⤵
      PID:3036
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.4522_none_f0875e1b430e344a\r\Spectrum.exe" /grant "everyone":(f)
      4⤵
      PID:404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.4522_none_f0875e1b430e344a\Spectrum.exe"
    3⤵
    PID:956
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.4522_none_f0875e1b430e344a\Spectrum.exe"
      4⤵
      PID:3132
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.4522_none_f0875e1b430e344a\Spectrum.exe" /grant "everyone":(f)
      4⤵
      PID:1612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-speech-userexperience_31bf3856ad364e35_10.0.19041.4355_none_90c40fd50106d653\SpeechUXWiz.exe"
    3⤵
    PID:4296
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-speech-userexperience_31bf3856ad364e35_10.0.19041.4355_none_90c40fd50106d653\SpeechUXWiz.exe"
      4⤵
      PID:644
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-speech-userexperience_31bf3856ad364e35_10.0.19041.4355_none_90c40fd50106d653\SpeechUXWiz.exe" /grant "everyone":(f)
      4⤵
      PID:3048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-speech-userexperience_31bf3856ad364e35_10.0.19041.746_none_fa033ad7aa9be481\SpeechUXWiz.exe"
    3⤵
    PID:4224
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-speech-userexperience_31bf3856ad364e35_10.0.19041.746_none_fa033ad7aa9be481\SpeechUXWiz.exe"
      4⤵
      PID:4516
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-speech-userexperience_31bf3856ad364e35_10.0.19041.746_none_fa033ad7aa9be481\SpeechUXWiz.exe" /grant "everyone":(f)
      4⤵
      PID:4284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_e836fc4ed2e2ecc1\f\SpeechModelDownload.exe"
    3⤵
    PID:5072
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_e836fc4ed2e2ecc1\f\SpeechModelDownload.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:348
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_e836fc4ed2e2ecc1\f\SpeechModelDownload.exe" /grant "everyone":(f)
      4⤵
      PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_e836fc4ed2e2ecc1\r\SpeechModelDownload.exe"
    3⤵
    PID:2028
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_e836fc4ed2e2ecc1\r\SpeechModelDownload.exe"
      4⤵
      PID:4408
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_e836fc4ed2e2ecc1\r\SpeechModelDownload.exe" /grant "everyone":(f)
      4⤵
      PID:3756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_e836fc4ed2e2ecc1\SpeechModelDownload.exe"
    3⤵
    PID:4536
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_e836fc4ed2e2ecc1\SpeechModelDownload.exe"
      4⤵
      PID:1016
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_e836fc4ed2e2ecc1\SpeechModelDownload.exe" /grant "everyone":(f)
      4⤵
      PID:3984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.4529_none_e7fa3a68d311a4e9\f\SpeechModelDownload.exe"
    3⤵
    PID:3800
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.4529_none_e7fa3a68d311a4e9\f\SpeechModelDownload.exe"
      4⤵
      PID:8
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.4529_none_e7fa3a68d311a4e9\f\SpeechModelDownload.exe" /grant "everyone":(f)
      4⤵
      PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.4529_none_e7fa3a68d311a4e9\r\SpeechModelDownload.exe"
    3⤵
    PID:2492
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.4529_none_e7fa3a68d311a4e9\r\SpeechModelDownload.exe"
      4⤵
      PID:4136
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.4529_none_e7fa3a68d311a4e9\r\SpeechModelDownload.exe" /grant "everyone":(f)
      4⤵
      PID:4740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.4529_none_e7fa3a68d311a4e9\SpeechModelDownload.exe"
    3⤵
    PID:3596
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.4529_none_e7fa3a68d311a4e9\SpeechModelDownload.exe"
      4⤵
      PID:272
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.4529_none_e7fa3a68d311a4e9\SpeechModelDownload.exe" /grant "everyone":(f)
      4⤵
      PID:756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommonnoia64_31bf3856ad364e35_10.0.19041.1_none_b89a948362edb3e7\sapisvr.exe"
    3⤵
    PID:724
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommonnoia64_31bf3856ad364e35_10.0.19041.1_none_b89a948362edb3e7\sapisvr.exe"
      4⤵
      PID:1628
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommonnoia64_31bf3856ad364e35_10.0.19041.1_none_b89a948362edb3e7\sapisvr.exe" /grant "everyone":(f)
      4⤵
      PID:1996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-spelling-host.binaries_31bf3856ad364e35_10.0.19041.3636_none_81cb2921977b3bb6\f\MsSpellCheckingHost.exe"
    3⤵
    PID:4248
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-spelling-host.binaries_31bf3856ad364e35_10.0.19041.3636_none_81cb2921977b3bb6\f\MsSpellCheckingHost.exe"
      4⤵
      Possible privilege escalation attempt
      PID:1960
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-spelling-host.binaries_31bf3856ad364e35_10.0.19041.3636_none_81cb2921977b3bb6\f\MsSpellCheckingHost.exe" /grant "everyone":(f)
      4⤵
      PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-spelling-host.binaries_31bf3856ad364e35_10.0.19041.3636_none_81cb2921977b3bb6\MsSpellCheckingHost.exe"
    3⤵
    PID:4636
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-spelling-host.binaries_31bf3856ad364e35_10.0.19041.3636_none_81cb2921977b3bb6\MsSpellCheckingHost.exe"
      4⤵
      PID:3244
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-spelling-host.binaries_31bf3856ad364e35_10.0.19041.3636_none_81cb2921977b3bb6\MsSpellCheckingHost.exe" /grant "everyone":(f)
      4⤵
      System Location Discovery: System Language Discovery
      PID:1828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-spelling-host.binaries_31bf3856ad364e35_10.0.19041.3636_none_81cb2921977b3bb6\r\MsSpellCheckingHost.exe"
    3⤵
    PID:3960
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-spelling-host.binaries_31bf3856ad364e35_10.0.19041.3636_none_81cb2921977b3bb6\r\MsSpellCheckingHost.exe"
      4⤵
      PID:2220
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-spelling-host.binaries_31bf3856ad364e35_10.0.19041.3636_none_81cb2921977b3bb6\r\MsSpellCheckingHost.exe" /grant "everyone":(f)
      4⤵
      PID:4784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-spelling-host.binaries_31bf3856ad364e35_10.0.19041.746_none_eb2cdd2a40f60c45\f\MsSpellCheckingHost.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4472
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-spelling-host.binaries_31bf3856ad364e35_10.0.19041.746_none_eb2cdd2a40f60c45\f\MsSpellCheckingHost.exe"
      4⤵
      PID:5016
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-spelling-host.binaries_31bf3856ad364e35_10.0.19041.746_none_eb2cdd2a40f60c45\f\MsSpellCheckingHost.exe" /grant "everyone":(f)
      4⤵
      PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-spelling-host.binaries_31bf3856ad364e35_10.0.19041.746_none_eb2cdd2a40f60c45\MsSpellCheckingHost.exe"
    3⤵
    PID:3372
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-spelling-host.binaries_31bf3856ad364e35_10.0.19041.746_none_eb2cdd2a40f60c45\MsSpellCheckingHost.exe"
      4⤵
      PID:4752
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-spelling-host.binaries_31bf3856ad364e35_10.0.19041.746_none_eb2cdd2a40f60c45\MsSpellCheckingHost.exe" /grant "everyone":(f)
      4⤵
      PID:4300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-spelling-host.binaries_31bf3856ad364e35_10.0.19041.746_none_eb2cdd2a40f60c45\r\MsSpellCheckingHost.exe"
    3⤵
    PID:2052
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-spelling-host.binaries_31bf3856ad364e35_10.0.19041.746_none_eb2cdd2a40f60c45\r\MsSpellCheckingHost.exe"
      4⤵
      PID:4564
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-spelling-host.binaries_31bf3856ad364e35_10.0.19041.746_none_eb2cdd2a40f60c45\r\MsSpellCheckingHost.exe" /grant "everyone":(f)
      4⤵
      PID:4816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_10.0.19041.1081_none_491d51c316b5ea8f\f\wsqmcons.exe"
    3⤵
    PID:4552
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_10.0.19041.1081_none_491d51c316b5ea8f\f\wsqmcons.exe"
      4⤵
      PID:1492
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_10.0.19041.1081_none_491d51c316b5ea8f\f\wsqmcons.exe" /grant "everyone":(f)
      4⤵
      PID:3432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_10.0.19041.1081_none_491d51c316b5ea8f\r\wsqmcons.exe"
    3⤵
    PID:4516
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_10.0.19041.1081_none_491d51c316b5ea8f\r\wsqmcons.exe"
      4⤵
      PID:3160
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_10.0.19041.1081_none_491d51c316b5ea8f\r\wsqmcons.exe" /grant "everyone":(f)
      4⤵
      PID:1564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_10.0.19041.1081_none_491d51c316b5ea8f\wsqmcons.exe"
    3⤵
    PID:1304
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_10.0.19041.1081_none_491d51c316b5ea8f\wsqmcons.exe"
      4⤵
      Modifies file permissions
      PID:1804
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_10.0.19041.1081_none_491d51c316b5ea8f\wsqmcons.exe" /grant "everyone":(f)
      4⤵
      PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_10.0.19041.4355_none_48f98bb316d15056\f\wsqmcons.exe"
    3⤵
    PID:1920
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_10.0.19041.4355_none_48f98bb316d15056\f\wsqmcons.exe"
      4⤵
      PID:1692
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_10.0.19041.4355_none_48f98bb316d15056\f\wsqmcons.exe" /grant "everyone":(f)
      4⤵
      PID:3080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_10.0.19041.4355_none_48f98bb316d15056\r\wsqmcons.exe"
    3⤵
    PID:4508
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_10.0.19041.4355_none_48f98bb316d15056\r\wsqmcons.exe"
      4⤵
      PID:4900
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_10.0.19041.4355_none_48f98bb316d15056\r\wsqmcons.exe" /grant "everyone":(f)
      4⤵
      PID:4156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_10.0.19041.4355_none_48f98bb316d15056\wsqmcons.exe"
    3⤵
    PID:4312
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_10.0.19041.4355_none_48f98bb316d15056\wsqmcons.exe"
      4⤵
      PID:3532
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_10.0.19041.4355_none_48f98bb316d15056\wsqmcons.exe" /grant "everyone":(f)
      4⤵
      PID:1924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-srdelayed_31bf3856ad364e35_10.0.19041.1_none_0c4e6556fb852148\srdelayed.exe"
    3⤵
    PID:1764
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-srdelayed_31bf3856ad364e35_10.0.19041.1_none_0c4e6556fb852148\srdelayed.exe"
      4⤵
      PID:4196
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-srdelayed_31bf3856ad364e35_10.0.19041.1_none_0c4e6556fb852148\srdelayed.exe" /grant "everyone":(f)
      4⤵
      PID:860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.1202_none_05856bbd8f935e6b\DataStoreCacheDumpTool.exe"
    3⤵
    PID:60
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.1202_none_05856bbd8f935e6b\DataStoreCacheDumpTool.exe"
      4⤵
      PID:4696
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.1202_none_05856bbd8f935e6b\DataStoreCacheDumpTool.exe" /grant "everyone":(f)
      4⤵
      PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.1202_none_05856bbd8f935e6b\f\DataStoreCacheDumpTool.exe"
    3⤵
    PID:3528
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.1202_none_05856bbd8f935e6b\f\DataStoreCacheDumpTool.exe"
      4⤵
      PID:3024
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.1202_none_05856bbd8f935e6b\f\DataStoreCacheDumpTool.exe" /grant "everyone":(f)
      4⤵
      PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.1202_none_05856bbd8f935e6b\r\DataStoreCacheDumpTool.exe"
    3⤵
    PID:1960
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.1202_none_05856bbd8f935e6b\r\DataStoreCacheDumpTool.exe"
      4⤵
      PID:3212
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.1202_none_05856bbd8f935e6b\r\DataStoreCacheDumpTool.exe" /grant "everyone":(f)
      4⤵
      System Location Discovery: System Language Discovery
      PID:1316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.4474_none_0576a60d8f9d7265\DataStoreCacheDumpTool.exe"
    3⤵
    PID:3244
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.4474_none_0576a60d8f9d7265\DataStoreCacheDumpTool.exe"
      4⤵
      PID:4172
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.4474_none_0576a60d8f9d7265\DataStoreCacheDumpTool.exe" /grant "everyone":(f)
      4⤵
      PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.4474_none_0576a60d8f9d7265\f\DataStoreCacheDumpTool.exe"
    3⤵
    PID:2220
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.4474_none_0576a60d8f9d7265\f\DataStoreCacheDumpTool.exe"
      4⤵
      PID:4092
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.4474_none_0576a60d8f9d7265\f\DataStoreCacheDumpTool.exe" /grant "everyone":(f)
      4⤵
      PID:4480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.4474_none_0576a60d8f9d7265\r\DataStoreCacheDumpTool.exe"
    3⤵
    PID:4836
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.4474_none_0576a60d8f9d7265\r\DataStoreCacheDumpTool.exe"
      4⤵
      PID:4472
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.4474_none_0576a60d8f9d7265\r\DataStoreCacheDumpTool.exe" /grant "everyone":(f)
      4⤵
      PID:4660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-storage-diagnostics_31bf3856ad364e35_10.0.19041.1_none_2aa26221a7a3d549\stordiag.exe"
    3⤵
    PID:524
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-storage-diagnostics_31bf3856ad364e35_10.0.19041.1_none_2aa26221a7a3d549\stordiag.exe"
      4⤵
      PID:1056
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-storage-diagnostics_31bf3856ad364e35_10.0.19041.1_none_2aa26221a7a3d549\stordiag.exe" /grant "everyone":(f)
      4⤵
      PID:956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.4355_none_2306bbe60cddf1d1\f\sxstrace.exe"
    3⤵
    PID:4564
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.4355_none_2306bbe60cddf1d1\f\sxstrace.exe"
      4⤵
      PID:4108
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.4355_none_2306bbe60cddf1d1\f\sxstrace.exe" /grant "everyone":(f)
      4⤵
      PID:2432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.4355_none_2306bbe60cddf1d1\r\sxstrace.exe"
    3⤵
    PID:1492
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.4355_none_2306bbe60cddf1d1\r\sxstrace.exe"
      4⤵
      PID:4552
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.4355_none_2306bbe60cddf1d1\r\sxstrace.exe" /grant "everyone":(f)
      4⤵
      Possible privilege escalation attempt
      PID:4284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.4355_none_2306bbe60cddf1d1\sxstrace.exe"
    3⤵
    PID:2392
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.4355_none_2306bbe60cddf1d1\sxstrace.exe"
      4⤵
      PID:4684
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.4355_none_2306bbe60cddf1d1\sxstrace.exe" /grant "everyone":(f)
      4⤵
      PID:3496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.746_none_8c45e6e8b672ffff\f\sxstrace.exe"
    3⤵
    PID:4504
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.746_none_8c45e6e8b672ffff\f\sxstrace.exe"
      4⤵
      PID:1804
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.746_none_8c45e6e8b672ffff\f\sxstrace.exe" /grant "everyone":(f)
      4⤵
      PID:3164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.746_none_8c45e6e8b672ffff\r\sxstrace.exe"
    3⤵
    PID:2488
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.746_none_8c45e6e8b672ffff\r\sxstrace.exe"
      4⤵
      PID:1920
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.746_none_8c45e6e8b672ffff\r\sxstrace.exe" /grant "everyone":(f)
      4⤵
      PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.746_none_8c45e6e8b672ffff\sxstrace.exe"
    3⤵
    PID:5008
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.746_none_8c45e6e8b672ffff\sxstrace.exe"
      4⤵
      PID:3984
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.746_none_8c45e6e8b672ffff\sxstrace.exe" /grant "everyone":(f)
      4⤵
      PID:4528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.3636_none_de18a3dcb1e6db19\f\SyncHost.exe"
    3⤵
    PID:3980
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.3636_none_de18a3dcb1e6db19\f\SyncHost.exe"
      4⤵
      PID:4312
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.3636_none_de18a3dcb1e6db19\f\SyncHost.exe" /grant "everyone":(f)
      4⤵
      PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.3636_none_de18a3dcb1e6db19\r\SyncHost.exe"
    3⤵
    PID:2868
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.3636_none_de18a3dcb1e6db19\r\SyncHost.exe"
      4⤵
      PID:1764
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.3636_none_de18a3dcb1e6db19\r\SyncHost.exe" /grant "everyone":(f)
      4⤵
      PID:4740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.3636_none_de18a3dcb1e6db19\SyncHost.exe"
    3⤵
    PID:4320
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.3636_none_de18a3dcb1e6db19\SyncHost.exe"
      4⤵
      PID:1196
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.3636_none_de18a3dcb1e6db19\SyncHost.exe" /grant "everyone":(f)
      4⤵
      PID:756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_477a57e55b61aba8\f\SyncHost.exe"
    3⤵
    PID:3024
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_477a57e55b61aba8\f\SyncHost.exe"
      4⤵
      PID:1628
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_477a57e55b61aba8\f\SyncHost.exe" /grant "everyone":(f)
      4⤵
      PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_477a57e55b61aba8\r\SyncHost.exe"
    3⤵
    PID:4776
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_477a57e55b61aba8\r\SyncHost.exe"
      4⤵
      Possible privilege escalation attempt
      PID:1172
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_477a57e55b61aba8\r\SyncHost.exe" /grant "everyone":(f)
      4⤵
      PID:2364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_477a57e55b61aba8\SyncHost.exe"
    3⤵
    PID:2516
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_477a57e55b61aba8\SyncHost.exe"
      4⤵
      PID:420
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_477a57e55b61aba8\SyncHost.exe" /grant "everyone":(f)
      4⤵
      PID:3536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sysinfo_31bf3856ad364e35_10.0.19041.1_none_a545be9e97ec5400\systeminfo.exe"
    3⤵
    PID:3840
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sysinfo_31bf3856ad364e35_10.0.19041.1_none_a545be9e97ec5400\systeminfo.exe"
      4⤵
      PID:4584
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sysinfo_31bf3856ad364e35_10.0.19041.1_none_a545be9e97ec5400\systeminfo.exe" /grant "everyone":(f)
      4⤵
      PID:4720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sysprep_31bf3856ad364e35_10.0.19041.3636_none_64163788adcf5594\f\sysprep.exe"
    3⤵
    PID:2476
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sysprep_31bf3856ad364e35_10.0.19041.3636_none_64163788adcf5594\f\sysprep.exe"
      4⤵
      PID:2924
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sysprep_31bf3856ad364e35_10.0.19041.3636_none_64163788adcf5594\f\sysprep.exe" /grant "everyone":(f)
      4⤵
      PID:2080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sysprep_31bf3856ad364e35_10.0.19041.3636_none_64163788adcf5594\r\sysprep.exe"
    3⤵
    PID:956
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:404
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sysprep_31bf3856ad364e35_10.0.19041.3636_none_64163788adcf5594\r\sysprep.exe"
      4⤵
      PID:4424
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sysprep_31bf3856ad364e35_10.0.19041.3636_none_64163788adcf5594\r\sysprep.exe" /grant "everyone":(f)
      4⤵
      PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sysprep_31bf3856ad364e35_10.0.19041.3636_none_64163788adcf5594\sysprep.exe"
    3⤵
    PID:3572
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sysprep_31bf3856ad364e35_10.0.19041.3636_none_64163788adcf5594\sysprep.exe"
      4⤵
      PID:1644
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sysprep_31bf3856ad364e35_10.0.19041.3636_none_64163788adcf5594\sysprep.exe" /grant "everyone":(f)
      4⤵
      PID:2460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sysprep_31bf3856ad364e35_10.0.19041.746_none_cd77eb91574a2623\f\sysprep.exe"
    3⤵
    PID:1132
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sysprep_31bf3856ad364e35_10.0.19041.746_none_cd77eb91574a2623\f\sysprep.exe"
      4⤵
      PID:3432
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sysprep_31bf3856ad364e35_10.0.19041.746_none_cd77eb91574a2623\f\sysprep.exe" /grant "everyone":(f)
      4⤵
      PID:1992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sysprep_31bf3856ad364e35_10.0.19041.746_none_cd77eb91574a2623\r\sysprep.exe"
    3⤵
    PID:412
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sysprep_31bf3856ad364e35_10.0.19041.746_none_cd77eb91574a2623\r\sysprep.exe"
      4⤵
      PID:4100
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sysprep_31bf3856ad364e35_10.0.19041.746_none_cd77eb91574a2623\r\sysprep.exe" /grant "everyone":(f)
      4⤵
      PID:1304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sysprep_31bf3856ad364e35_10.0.19041.746_none_cd77eb91574a2623\sysprep.exe"
    3⤵
    PID:620
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sysprep_31bf3856ad364e35_10.0.19041.746_none_cd77eb91574a2623\sysprep.exe"
      4⤵
      PID:2576
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sysprep_31bf3856ad364e35_10.0.19041.746_none_cd77eb91574a2623\sysprep.exe" /grant "everyone":(f)
      4⤵
      PID:2976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_4ac6500cab2b2113\SystemPropertiesRemote.exe"
    3⤵
    PID:2044
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_4ac6500cab2b2113\SystemPropertiesRemote.exe"
      4⤵
      PID:1292
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_4ac6500cab2b2113\SystemPropertiesRemote.exe" /grant "everyone":(f)
      4⤵
      PID:4508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\f\ResetEngine.exe"
    3⤵
    PID:2116
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\f\ResetEngine.exe"
      4⤵
      PID:5008
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\f\ResetEngine.exe" /grant "everyone":(f)
      4⤵
      PID:8
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\f\SysResetErr.exe"
    3⤵
    PID:3052
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\f\SysResetErr.exe"
      4⤵
      PID:3980
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\f\SysResetErr.exe" /grant "everyone":(f)
      4⤵
      PID:3084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\f\systemreset.exe"
    3⤵
    PID:3832
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\f\systemreset.exe"
      4⤵
      PID:272
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\f\systemreset.exe" /grant "everyone":(f)
      4⤵
      PID:3936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\r\ResetEngine.exe"
    3⤵
    PID:5104
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\r\ResetEngine.exe"
      4⤵
      PID:4328
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\r\ResetEngine.exe" /grant "everyone":(f)
      4⤵
      PID:4532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\r\SysResetErr.exe"
    3⤵
    PID:2464
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\r\SysResetErr.exe"
      4⤵
      PID:4644
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\r\SysResetErr.exe" /grant "everyone":(f)
      4⤵
      PID:2828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\r\systemreset.exe"
    3⤵
    PID:824
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\r\systemreset.exe"
      4⤵
      PID:2372
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\r\systemreset.exe" /grant "everyone":(f)
      4⤵
      PID:4132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\ResetEngine.exe"
    3⤵
    PID:4636
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\ResetEngine.exe"
      4⤵
      PID:2276
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\ResetEngine.exe" /grant "everyone":(f)
      4⤵
      PID:3436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\SysResetErr.exe"
    3⤵
    PID:4480
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\SysResetErr.exe"
      4⤵
      PID:1980
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\SysResetErr.exe" /grant "everyone":(f)
      4⤵
      PID:764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\systemreset.exe"
    3⤵
    PID:3892
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\systemreset.exe"
      4⤵
      PID:4468
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\systemreset.exe" /grant "everyone":(f)
      4⤵
      PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\f\ResetEngine.exe"
    3⤵
    PID:4752
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\f\ResetEngine.exe"
      4⤵
      PID:1612
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\f\ResetEngine.exe" /grant "everyone":(f)
      4⤵
      PID:1684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\f\SysResetErr.exe"
    3⤵
    PID:3132
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\f\SysResetErr.exe"
      4⤵
      PID:652
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\f\SysResetErr.exe" /grant "everyone":(f)
      4⤵
      PID:4684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\f\systemreset.exe"
    3⤵
    PID:4524
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\f\systemreset.exe"
      4⤵
      PID:1784
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\f\systemreset.exe" /grant "everyone":(f)
      4⤵
      PID:5072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\r\ResetEngine.exe"
    3⤵
    PID:3560
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\r\ResetEngine.exe"
      4⤵
      PID:1552
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\r\ResetEngine.exe" /grant "everyone":(f)
      4⤵
      PID:3756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\r\SysResetErr.exe"
    3⤵
    PID:1804
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\r\SysResetErr.exe"
      4⤵
      PID:1756
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\r\SysResetErr.exe" /grant "everyone":(f)
      4⤵
      PID:4692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\r\systemreset.exe"
    3⤵
    PID:2864
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2044
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\r\systemreset.exe"
      4⤵
      PID:3008
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\r\systemreset.exe" /grant "everyone":(f)
      4⤵
      PID:4848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\ResetEngine.exe"
    3⤵
    PID:4528
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\ResetEngine.exe"
      4⤵
      PID:4312
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\ResetEngine.exe" /grant "everyone":(f)
      4⤵
      PID:4144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\SysResetErr.exe"
    3⤵
    PID:2472
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\SysResetErr.exe"
      4⤵
      PID:3032
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\SysResetErr.exe" /grant "everyone":(f)
      4⤵
      PID:3936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\systemreset.exe"
    3⤵
    PID:1988
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\systemreset.exe"
      4⤵
      PID:4696
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\systemreset.exe" /grant "everyone":(f)
      4⤵
      PID:3212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.4529_none_bb80f3db688c8721\f\rstrui.exe"
    3⤵
    PID:3596
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.4529_none_bb80f3db688c8721\f\rstrui.exe"
      4⤵
      PID:3088
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.4529_none_bb80f3db688c8721\f\rstrui.exe" /grant "everyone":(f)
      4⤵
      PID:1172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.4529_none_bb80f3db688c8721\r\rstrui.exe"
    3⤵
    PID:3256
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.4529_none_bb80f3db688c8721\r\rstrui.exe"
      4⤵
      PID:4248
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.4529_none_bb80f3db688c8721\r\rstrui.exe" /grant "everyone":(f)
      4⤵
      PID:1720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.4529_none_bb80f3db688c8721\rstrui.exe"
    3⤵
    PID:4132
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.4529_none_bb80f3db688c8721\rstrui.exe"
      4⤵
      PID:3708
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.4529_none_bb80f3db688c8721\rstrui.exe" /grant "everyone":(f)
      4⤵
      PID:4472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.746_none_24d91ab4120e42ee\f\rstrui.exe"
    3⤵
    PID:3436
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.746_none_24d91ab4120e42ee\f\rstrui.exe"
      4⤵
      PID:2220
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.746_none_24d91ab4120e42ee\f\rstrui.exe" /grant "everyone":(f)
      4⤵
      PID:2080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.746_none_24d91ab4120e42ee\r\rstrui.exe"
    3⤵
    PID:2924
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.746_none_24d91ab4120e42ee\r\rstrui.exe"
      4⤵
      PID:2476
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.746_none_24d91ab4120e42ee\r\rstrui.exe" /grant "everyone":(f)
      4⤵
      PID:172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.746_none_24d91ab4120e42ee\rstrui.exe"
    3⤵
    PID:3580
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.746_none_24d91ab4120e42ee\rstrui.exe"
      4⤵
      PID:956
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.746_none_24d91ab4120e42ee\rstrui.exe" /grant "everyone":(f)
      4⤵
      PID:1612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systray_31bf3856ad364e35_10.0.19041.1_none_a9428a56956799d8\systray.exe"
    3⤵
    PID:1684
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systray_31bf3856ad364e35_10.0.19041.1_none_a9428a56956799d8\systray.exe"
      4⤵
      PID:4424
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systray_31bf3856ad364e35_10.0.19041.1_none_a9428a56956799d8\systray.exe" /grant "everyone":(f)
      4⤵
      PID:652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..-deployment-package_31bf3856ad364e35_10.0.19041.1_none_14bead3522ecffb2\TFTP.EXE"
    3⤵
    PID:4684
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..-deployment-package_31bf3856ad364e35_10.0.19041.1_none_14bead3522ecffb2\TFTP.EXE"
      4⤵
      PID:3432
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..-deployment-package_31bf3856ad364e35_10.0.19041.1_none_14bead3522ecffb2\TFTP.EXE" /grant "everyone":(f)
      4⤵
      PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.3636_none_a60f419d0da3f3e9\f\TSWbPrxy.exe"
    3⤵
    PID:5012
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.3636_none_a60f419d0da3f3e9\f\TSWbPrxy.exe"
      4⤵
      PID:1332
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.3636_none_a60f419d0da3f3e9\f\TSWbPrxy.exe" /grant "everyone":(f)
      4⤵
      PID:348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.3636_none_a60f419d0da3f3e9\r\TSWbPrxy.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3756
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.3636_none_a60f419d0da3f3e9\r\TSWbPrxy.exe"
      4⤵
      PID:412
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.3636_none_a60f419d0da3f3e9\r\TSWbPrxy.exe" /grant "everyone":(f)
      4⤵
      PID:1224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.3636_none_a60f419d0da3f3e9\TSWbPrxy.exe"
    3⤵
    PID:4692
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.3636_none_a60f419d0da3f3e9\TSWbPrxy.exe"
      4⤵
      PID:3800
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.3636_none_a60f419d0da3f3e9\TSWbPrxy.exe" /grant "everyone":(f)
      4⤵
      PID:4848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.746_none_0f70f5a5b71ec478\f\TSWbPrxy.exe"
    3⤵
    PID:4828
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.746_none_0f70f5a5b71ec478\f\TSWbPrxy.exe"
      4⤵
      PID:2728
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.746_none_0f70f5a5b71ec478\f\TSWbPrxy.exe" /grant "everyone":(f)
      4⤵
      PID:4136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.746_none_0f70f5a5b71ec478\r\TSWbPrxy.exe"
    3⤵
    PID:5008
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.746_none_0f70f5a5b71ec478\r\TSWbPrxy.exe"
      4⤵
      PID:3032
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.746_none_0f70f5a5b71ec478\r\TSWbPrxy.exe" /grant "everyone":(f)
      4⤵
      PID:4196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.746_none_0f70f5a5b71ec478\TSWbPrxy.exe"
    3⤵
    PID:3980
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.746_none_0f70f5a5b71ec478\TSWbPrxy.exe"
      4⤵
      PID:1628
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.746_none_0f70f5a5b71ec478\TSWbPrxy.exe" /grant "everyone":(f)
      4⤵
      PID:4328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.1151_none_0412565dd5f26733\f\wkspbroker.exe"
    3⤵
    PID:2868
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.1151_none_0412565dd5f26733\f\wkspbroker.exe"
      4⤵
      PID:4172
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.1151_none_0412565dd5f26733\f\wkspbroker.exe" /grant "everyone":(f)
      4⤵
      PID:4296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.1151_none_0412565dd5f26733\r\wkspbroker.exe"
    3⤵
    PID:3632
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.1151_none_0412565dd5f26733\r\wkspbroker.exe"
      4⤵
      PID:420
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.1151_none_0412565dd5f26733\r\wkspbroker.exe" /grant "everyone":(f)
      4⤵
      PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.1151_none_0412565dd5f26733\wkspbroker.exe"
    3⤵
    PID:3528
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.1151_none_0412565dd5f26733\wkspbroker.exe"
      4⤵
      PID:4720
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.1151_none_0412565dd5f26733\wkspbroker.exe" /grant "everyone":(f)
      4⤵
      PID:4472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.4355_none_03fc6117d602fd0e\f\wkspbroker.exe"
    3⤵
    PID:1816
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.4355_none_03fc6117d602fd0e\f\wkspbroker.exe"
      4⤵
      PID:1940
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.4355_none_03fc6117d602fd0e\f\wkspbroker.exe" /grant "everyone":(f)
      4⤵
      PID:4396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.4355_none_03fc6117d602fd0e\r\wkspbroker.exe"
    3⤵
    PID:3436
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.4355_none_03fc6117d602fd0e\r\wkspbroker.exe"
      4⤵
      PID:1800
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.4355_none_03fc6117d602fd0e\r\wkspbroker.exe" /grant "everyone":(f)
      4⤵
      PID:172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.4355_none_03fc6117d602fd0e\wkspbroker.exe"
    3⤵
    PID:4480
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.4355_none_03fc6117d602fd0e\wkspbroker.exe"
      4⤵
      PID:1192
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.4355_none_03fc6117d602fd0e\wkspbroker.exe" /grant "everyone":(f)
      4⤵
      Modifies file permissions
      PID:5016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_10.0.19041.1_none_53219a572fef10a2\ctfmon.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:956
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_10.0.19041.1_none_53219a572fef10a2\ctfmon.exe"
      4⤵
      PID:1284
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_10.0.19041.1_none_53219a572fef10a2\ctfmon.exe" /grant "everyone":(f)
      4⤵
      PID:524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..commandlinetoolsmqq_31bf3856ad364e35_10.0.19041.1_none_df1a7ee54b62a4fd\msg.exe"
    3⤵
    PID:4424
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..commandlinetoolsmqq_31bf3856ad364e35_10.0.19041.1_none_df1a7ee54b62a4fd\msg.exe"
      4⤵
      PID:540
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..commandlinetoolsmqq_31bf3856ad364e35_10.0.19041.1_none_df1a7ee54b62a4fd\msg.exe" /grant "everyone":(f)
      4⤵
      PID:4564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..commandlinetoolsmqq_31bf3856ad364e35_10.0.19041.1_none_df1a7ee54b62a4fd\quser.exe"
    3⤵
    PID:4816
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..commandlinetoolsmqq_31bf3856ad364e35_10.0.19041.1_none_df1a7ee54b62a4fd\quser.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4372
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..commandlinetoolsmqq_31bf3856ad364e35_10.0.19041.1_none_df1a7ee54b62a4fd\quser.exe" /grant "everyone":(f)
      4⤵
      PID:2028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..commandlinetoolsmqq_31bf3856ad364e35_10.0.19041.1_none_df1a7ee54b62a4fd\qwinsta.exe"
    3⤵
    PID:1332
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..commandlinetoolsmqq_31bf3856ad364e35_10.0.19041.1_none_df1a7ee54b62a4fd\qwinsta.exe"
      4⤵
      PID:4028
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..commandlinetoolsmqq_31bf3856ad364e35_10.0.19041.1_none_df1a7ee54b62a4fd\qwinsta.exe" /grant "everyone":(f)
      4⤵
      PID:4536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.4355_none_d91e29d5c32ce5b4\f\ttdinject.exe"
    3⤵
    PID:2648
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.4355_none_d91e29d5c32ce5b4\f\ttdinject.exe"
      4⤵
      PID:3080
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.4355_none_d91e29d5c32ce5b4\f\ttdinject.exe" /grant "everyone":(f)
      4⤵
      PID:3984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.4355_none_d91e29d5c32ce5b4\f\tttracer.exe"
    3⤵
    PID:3588
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.4355_none_d91e29d5c32ce5b4\f\tttracer.exe"
      4⤵
      PID:3532
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.4355_none_d91e29d5c32ce5b4\f\tttracer.exe" /grant "everyone":(f)
      4⤵
      PID:4136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.4355_none_d91e29d5c32ce5b4\r\ttdinject.exe"
    3⤵
    PID:1764
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.4355_none_d91e29d5c32ce5b4\r\ttdinject.exe"
      4⤵
      PID:3936
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.4355_none_d91e29d5c32ce5b4\r\ttdinject.exe" /grant "everyone":(f)
      4⤵
      PID:60
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.4355_none_d91e29d5c32ce5b4\r\tttracer.exe"
    3⤵
    PID:2176
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.4355_none_d91e29d5c32ce5b4\r\tttracer.exe"
      4⤵
      PID:3248
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.4355_none_d91e29d5c32ce5b4\r\tttracer.exe" /grant "everyone":(f)
      4⤵
      PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.4355_none_d91e29d5c32ce5b4\ttdinject.exe"
    3⤵
    PID:3052
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.4355_none_d91e29d5c32ce5b4\ttdinject.exe"
      4⤵
      PID:1280
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.4355_none_d91e29d5c32ce5b4\ttdinject.exe" /grant "everyone":(f)
      4⤵
      PID:3968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.4355_none_d91e29d5c32ce5b4\tttracer.exe"
    3⤵
    PID:4364
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.4355_none_d91e29d5c32ce5b4\tttracer.exe"
      4⤵
      PID:1720
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.4355_none_d91e29d5c32ce5b4\tttracer.exe" /grant "everyone":(f)
      4⤵
      PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_425d54d86cc1f3e2\f\tttracer.exe"
    3⤵
    PID:3596
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_425d54d86cc1f3e2\f\tttracer.exe"
      4⤵
      PID:3708
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_425d54d86cc1f3e2\f\tttracer.exe" /grant "everyone":(f)
      4⤵
      PID:3244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_425d54d86cc1f3e2\r\tttracer.exe"
    3⤵
    PID:2464
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_425d54d86cc1f3e2\r\tttracer.exe"
      4⤵
      PID:2372
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_425d54d86cc1f3e2\r\tttracer.exe" /grant "everyone":(f)
      4⤵
      PID:1400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_425d54d86cc1f3e2\ttdinject.exe"
    3⤵
    PID:2120
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_425d54d86cc1f3e2\ttdinject.exe"
      4⤵
      PID:1388
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_425d54d86cc1f3e2\ttdinject.exe" /grant "everyone":(f)
      4⤵
      PID:1800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_425d54d86cc1f3e2\tttracer.exe"
    3⤵
    PID:172
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_425d54d86cc1f3e2\tttracer.exe"
      4⤵
      PID:2276
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_425d54d86cc1f3e2\tttracer.exe" /grant "everyone":(f)
      4⤵
      PID:3892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\change.exe"
    3⤵
    PID:3664
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\change.exe"
      4⤵
      PID:2924
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\change.exe" /grant "everyone":(f)
      4⤵
      PID:652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\chglogon.exe"
    3⤵
    PID:3036
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\chglogon.exe"
      4⤵
      PID:4468
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\chglogon.exe" /grant "everyone":(f)
      4⤵
      PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\chgport.exe"
    3⤵
    PID:2432
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\chgport.exe"
      4⤵
      PID:1840
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\chgport.exe" /grant "everyone":(f)
      4⤵
      PID:348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\chgusr.exe"
    3⤵
    PID:2028
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\chgusr.exe"
      4⤵
      PID:4684
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\chgusr.exe" /grant "everyone":(f)
      4⤵
      PID:412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\logoff.exe"
    3⤵
    PID:4536
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\logoff.exe"
      4⤵
      PID:1784
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\logoff.exe" /grant "everyone":(f)
      4⤵
      PID:4900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\qappsrv.exe"
    3⤵
    PID:2528
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\qappsrv.exe"
      4⤵
      PID:4224
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\qappsrv.exe" /grant "everyone":(f)
      4⤵
      PID:3116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\qprocess.exe"
    3⤵
    PID:3440
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\qprocess.exe"
      4⤵
      PID:3996
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\qprocess.exe" /grant "everyone":(f)
      4⤵
      PID:2532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\query.exe"
    3⤵
    PID:900
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\query.exe"
      4⤵
      PID:4388
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\query.exe" /grant "everyone":(f)
      4⤵
      PID:3212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\reset.exe"
    3⤵
    PID:4328
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\reset.exe"
      4⤵
      PID:3492
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\reset.exe" /grant "everyone":(f)
      4⤵
      PID:724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\rwinsta.exe"
    3⤵
    PID:4320
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\rwinsta.exe"
      4⤵
      PID:3696
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\rwinsta.exe" /grant "everyone":(f)
      4⤵
      PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\tscon.exe"
    3⤵
    PID:1720
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\tscon.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2492
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\tscon.exe" /grant "everyone":(f)
      4⤵
      PID:4348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\tsdiscon.exe"
    3⤵
    PID:3708
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\tsdiscon.exe"
      4⤵
      PID:4784
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\tsdiscon.exe" /grant "everyone":(f)
      4⤵
      PID:2080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\tskill.exe"
    3⤵
    PID:2372
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\tskill.exe"
      4⤵
      PID:1144
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\tskill.exe" /grant "everyone":(f)
      4⤵
      PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-inputredirection_31bf3856ad364e35_10.0.19041.1_none_ba15c535035058c0\rdpinput.exe"
    3⤵
    PID:4092
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-inputredirection_31bf3856ad364e35_10.0.19041.1_none_ba15c535035058c0\rdpinput.exe"
      4⤵
      PID:1388
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-inputredirection_31bf3856ad364e35_10.0.19041.1_none_ba15c535035058c0\rdpinput.exe" /grant "everyone":(f)
      4⤵
      PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.3636_none_9afcd1809296ada6\f\wksprt.exe"
    3⤵
    PID:3372
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.3636_none_9afcd1809296ada6\f\wksprt.exe"
      4⤵
      PID:4584
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.3636_none_9afcd1809296ada6\f\wksprt.exe" /grant "everyone":(f)
      4⤵
      PID:4660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.3636_none_9afcd1809296ada6\r\wksprt.exe"
    3⤵
    PID:2720
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.3636_none_9afcd1809296ada6\r\wksprt.exe"
      4⤵
      PID:3960
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.3636_none_9afcd1809296ada6\r\wksprt.exe" /grant "everyone":(f)
      4⤵
      PID:708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.3636_none_9afcd1809296ada6\wksprt.exe"
    3⤵
    PID:2644
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.3636_none_9afcd1809296ada6\wksprt.exe"
      4⤵
      PID:3160
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.3636_none_9afcd1809296ada6\wksprt.exe" /grant "everyone":(f)
      4⤵
      PID:4524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.746_none_045e85893c117e35\f\wksprt.exe"
    3⤵
    PID:348
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.746_none_045e85893c117e35\f\wksprt.exe"
      4⤵
      PID:4100
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.746_none_045e85893c117e35\f\wksprt.exe" /grant "everyone":(f)
      4⤵
      PID:3716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.746_none_045e85893c117e35\r\wksprt.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:412
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.746_none_045e85893c117e35\r\wksprt.exe"
      4⤵
      PID:3432
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.746_none_045e85893c117e35\r\wksprt.exe" /grant "everyone":(f)
      4⤵
      PID:4504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.746_none_045e85893c117e35\wksprt.exe"
    3⤵
    PID:4028
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.746_none_045e85893c117e35\wksprt.exe"
      4⤵
      PID:1932
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.746_none_045e85893c117e35\wksprt.exe" /grant "everyone":(f)
      4⤵
      PID:4144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.4355_none_3f5ba2e20625a807\f\mip.exe"
    3⤵
    PID:1552
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.4355_none_3f5ba2e20625a807\f\mip.exe"
      4⤵
      PID:3032
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.4355_none_3f5ba2e20625a807\f\mip.exe" /grant "everyone":(f)
      4⤵
      PID:2532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.4355_none_3f5ba2e20625a807\mip.exe"
    3⤵
    PID:620
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.4355_none_3f5ba2e20625a807\mip.exe"
      4⤵
      PID:1628
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.4355_none_3f5ba2e20625a807\mip.exe" /grant "everyone":(f)
      4⤵
      PID:1116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.4355_none_3f5ba2e20625a807\r\mip.exe"
    3⤵
    PID:1292
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.4355_none_3f5ba2e20625a807\r\mip.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4172
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.4355_none_3f5ba2e20625a807\r\mip.exe" /grant "everyone":(f)
      4⤵
      PID:1172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.746_none_a89acde4afbab635\f\mip.exe"
    3⤵
    PID:2992
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.746_none_a89acde4afbab635\f\mip.exe"
      4⤵
      PID:2488
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.746_none_a89acde4afbab635\f\mip.exe" /grant "everyone":(f)
      4⤵
      PID:3676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.746_none_a89acde4afbab635\mip.exe"
    3⤵
    PID:1996
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4320
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.746_none_a89acde4afbab635\mip.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5104
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.746_none_a89acde4afbab635\mip.exe" /grant "everyone":(f)
      4⤵
      PID:860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.746_none_a89acde4afbab635\r\mip.exe"
    3⤵
    PID:1928
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.746_none_a89acde4afbab635\r\mip.exe"
      4⤵
      PID:756
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.746_none_a89acde4afbab635\r\mip.exe" /grant "everyone":(f)
      4⤵
      PID:1196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\f\rdpinit.exe"
    3⤵
    PID:824
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\f\rdpinit.exe"
      4⤵
      PID:1056
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\f\rdpinit.exe" /grant "everyone":(f)
      4⤵
      PID:3840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\f\rdpshell.exe"
    3⤵
    PID:3256
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\f\rdpshell.exe"
      4⤵
      PID:1940
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\f\rdpshell.exe" /grant "everyone":(f)
      4⤵
      PID:2276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\r\rdpinit.exe"
    3⤵
    PID:4412
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\r\rdpinit.exe"
      4⤵
      PID:1992
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\r\rdpinit.exe" /grant "everyone":(f)
      4⤵
      PID:1284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\r\rdpshell.exe"
    3⤵
    PID:2476
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\r\rdpshell.exe"
      4⤵
      PID:1304
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\r\rdpshell.exe" /grant "everyone":(f)
      4⤵
      PID:4108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\rdpinit.exe"
    3⤵
    PID:4480
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\rdpinit.exe"
      4⤵
      PID:1564
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\rdpinit.exe" /grant "everyone":(f)
      4⤵
      PID:1132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\rdpshell.exe"
    3⤵
    PID:3036
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\rdpshell.exe"
      4⤵
      PID:4408
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\rdpshell.exe" /grant "everyone":(f)
      4⤵
      PID:4684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.4355_none_93954022fb5dc980\f\rdpinit.exe"
    3⤵
    PID:3572
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.4355_none_93954022fb5dc980\f\rdpinit.exe"
      4⤵
      PID:2096
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.4355_none_93954022fb5dc980\f\rdpinit.exe" /grant "everyone":(f)
      4⤵
      PID:4848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.4355_none_93954022fb5dc980\f\rdpshell.exe"
    3⤵
    PID:2028
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:644
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.4355_none_93954022fb5dc980\f\rdpshell.exe"
      4⤵
      PID:188
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.4355_none_93954022fb5dc980\f\rdpshell.exe" /grant "everyone":(f)
      4⤵
      PID:4500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.4355_none_93954022fb5dc980\r\rdpinit.exe"
    3⤵
    PID:4536
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.4355_none_93954022fb5dc980\r\rdpinit.exe"
      4⤵
      PID:4224
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.4355_none_93954022fb5dc980\r\rdpinit.exe" /grant "everyone":(f)
      4⤵
      PID:3800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.4355_none_93954022fb5dc980\r\rdpshell.exe"
    3⤵
    PID:2728
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.4355_none_93954022fb5dc980\r\rdpshell.exe"
      4⤵
      PID:4780
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.4355_none_93954022fb5dc980\r\rdpshell.exe" /grant "everyone":(f)
      4⤵
      PID:3212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.4355_none_93954022fb5dc980\rdpinit.exe"
    3⤵
    PID:2116
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.4355_none_93954022fb5dc980\rdpinit.exe"
      4⤵
      PID:4196
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.4355_none_93954022fb5dc980\rdpinit.exe" /grant "everyone":(f)
      4⤵
      PID:1280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.4355_none_93954022fb5dc980\rdpshell.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2472
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.4355_none_93954022fb5dc980\rdpshell.exe"
      4⤵
      PID:3624
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.4355_none_93954022fb5dc980\rdpshell.exe" /grant "everyone":(f)
      4⤵
      PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.4355_none_7690306cc05c614c\f\rdpclip.exe"
    3⤵
    PID:1924
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.4355_none_7690306cc05c614c\f\rdpclip.exe"
      4⤵
      PID:1524
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.4355_none_7690306cc05c614c\f\rdpclip.exe" /grant "everyone":(f)
      4⤵
      PID:4720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.4355_none_7690306cc05c614c\r\rdpclip.exe"
    3⤵
    PID:860
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.4355_none_7690306cc05c614c\r\rdpclip.exe"
      4⤵
      PID:3052
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.4355_none_7690306cc05c614c\r\rdpclip.exe" /grant "everyone":(f)
      4⤵
      PID:3488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.4355_none_7690306cc05c614c\rdpclip.exe"
    3⤵
    PID:3596
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.4355_none_7690306cc05c614c\rdpclip.exe"
      4⤵
      PID:3244
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.4355_none_7690306cc05c614c\rdpclip.exe" /grant "everyone":(f)
      4⤵
      PID:3528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.746_none_dfcf5b6f69f16f7a\f\rdpclip.exe"
    3⤵
    PID:640
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.746_none_dfcf5b6f69f16f7a\f\rdpclip.exe"
      4⤵
      PID:824
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.746_none_dfcf5b6f69f16f7a\f\rdpclip.exe" /grant "everyone":(f)
      4⤵
      PID:3704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.746_none_dfcf5b6f69f16f7a\r\rdpclip.exe"
    3⤵
    PID:2664
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.746_none_dfcf5b6f69f16f7a\r\rdpclip.exe"
      4⤵
      PID:2908
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.746_none_dfcf5b6f69f16f7a\r\rdpclip.exe" /grant "everyone":(f)
      4⤵
      PID:4584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.746_none_dfcf5b6f69f16f7a\rdpclip.exe"
    3⤵
    PID:2516
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.746_none_dfcf5b6f69f16f7a\rdpclip.exe"
      4⤵
      PID:1960
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.746_none_dfcf5b6f69f16f7a\rdpclip.exe" /grant "everyone":(f)
      4⤵
      PID:1192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.1151_none_aa086da848b2c07b\f\rdpsign.exe"
    3⤵
    PID:708
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.1151_none_aa086da848b2c07b\f\rdpsign.exe"
      4⤵
      PID:1648
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.1151_none_aa086da848b2c07b\f\rdpsign.exe" /grant "everyone":(f)
      4⤵
      PID:2976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.1151_none_aa086da848b2c07b\r\rdpsign.exe"
    3⤵
    PID:1132
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1980
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.1151_none_aa086da848b2c07b\r\rdpsign.exe"
      4⤵
      PID:2720
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.1151_none_aa086da848b2c07b\r\rdpsign.exe" /grant "everyone":(f)
      4⤵
      PID:4508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.1151_none_aa086da848b2c07b\rdpsign.exe"
    3⤵
    PID:4684
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2024
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.1151_none_aa086da848b2c07b\rdpsign.exe"
      4⤵
      PID:2644
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.1151_none_aa086da848b2c07b\rdpsign.exe" /grant "everyone":(f)
      4⤵
      PID:1492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.3636_none_a9cfef5c48dd93f5\f\rdpsign.exe"
    3⤵
    PID:4848
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.3636_none_a9cfef5c48dd93f5\f\rdpsign.exe"
      4⤵
      PID:348
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.3636_none_a9cfef5c48dd93f5\f\rdpsign.exe" /grant "everyone":(f)
      4⤵
      PID:3756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.3636_none_a9cfef5c48dd93f5\r\rdpsign.exe"
    3⤵
    PID:4500
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.3636_none_a9cfef5c48dd93f5\r\rdpsign.exe"
      4⤵
      PID:412
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.3636_none_a9cfef5c48dd93f5\r\rdpsign.exe" /grant "everyone":(f)
      4⤵
      PID:3908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.3636_none_a9cfef5c48dd93f5\rdpsign.exe"
    3⤵
    PID:3080
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.3636_none_a9cfef5c48dd93f5\rdpsign.exe"
      4⤵
      PID:3496
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.3636_none_a9cfef5c48dd93f5\rdpsign.exe" /grant "everyone":(f)
      4⤵
      PID:4388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_c2a2211ad648e627\f\mstsc.exe"
    3⤵
    PID:3440
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_c2a2211ad648e627\f\mstsc.exe"
      4⤵
      PID:3560
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_c2a2211ad648e627\f\mstsc.exe" /grant "everyone":(f)
      4⤵
      PID:4196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_c2a2211ad648e627\mstsc.exe"
    3⤵
    PID:4528
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4156
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_c2a2211ad648e627\mstsc.exe"
      4⤵
      PID:3980
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_c2a2211ad648e627\mstsc.exe" /grant "everyone":(f)
      4⤵
      PID:2868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_c2a2211ad648e627\r\mstsc.exe"
    3⤵
    PID:4348
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_c2a2211ad648e627\r\mstsc.exe"
      4⤵
      PID:5008
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_c2a2211ad648e627\r\mstsc.exe" /grant "everyone":(f)
      4⤵
      Possible privilege escalation attempt
      PID:3632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.4355_none_c2966d5ed651c695\f\mstsc.exe"
    3⤵
    PID:3052
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.4355_none_c2966d5ed651c695\f\mstsc.exe"
      4⤵
      PID:3968
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.4355_none_c2966d5ed651c695\f\mstsc.exe" /grant "everyone":(f)
      4⤵
      PID:4300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.4355_none_c2966d5ed651c695\mstsc.exe"
    3⤵
    PID:1144
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.4355_none_c2966d5ed651c695\mstsc.exe"
      4⤵
      Modifies file permissions
      PID:756
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.4355_none_c2966d5ed651c695\mstsc.exe" /grant "everyone":(f)
      4⤵
      PID:1388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.4355_none_c2966d5ed651c695\r\mstsc.exe"
    3⤵
    PID:3608
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.4355_none_c2966d5ed651c695\r\mstsc.exe"
      4⤵
      PID:420
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.4355_none_c2966d5ed651c695\r\mstsc.exe" /grant "everyone":(f)
      4⤵
      PID:3256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.4412_none_b457a6037b99d591\f\InputPersonalization.exe"
    3⤵
    PID:4660
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.4412_none_b457a6037b99d591\f\InputPersonalization.exe"
      4⤵
      PID:2276
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.4412_none_b457a6037b99d591\f\InputPersonalization.exe" /grant "everyone":(f)
      4⤵
      PID:1960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.4412_none_b457a6037b99d591\f\ShapeCollector.exe"
    3⤵
    PID:1304
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.4412_none_b457a6037b99d591\f\ShapeCollector.exe"
      4⤵
      PID:2220
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.4412_none_b457a6037b99d591\f\ShapeCollector.exe" /grant "everyone":(f)
      4⤵
      PID:3160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.4412_none_b457a6037b99d591\InputPersonalization.exe"
    3⤵
    PID:4524
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.4412_none_b457a6037b99d591\InputPersonalization.exe"
      4⤵
      PID:4836
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.4412_none_b457a6037b99d591\InputPersonalization.exe" /grant "everyone":(f)
      4⤵
      PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.4412_none_b457a6037b99d591\r\InputPersonalization.exe"
    3⤵
    PID:2396
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3716
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.4412_none_b457a6037b99d591\r\InputPersonalization.exe"
      4⤵
      PID:4480
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.4412_none_b457a6037b99d591\r\InputPersonalization.exe" /grant "everyone":(f)
      4⤵
      PID:3580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.4412_none_b457a6037b99d591\r\ShapeCollector.exe"
    3⤵
    PID:3432
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.4412_none_b457a6037b99d591\r\ShapeCollector.exe"
      4⤵
      PID:3036
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.4412_none_b457a6037b99d591\r\ShapeCollector.exe" /grant "everyone":(f)
      4⤵
      PID:1840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.4412_none_b457a6037b99d591\ShapeCollector.exe"
    3⤵
    PID:1932
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.4412_none_b457a6037b99d591\ShapeCollector.exe"
      4⤵
      PID:2432
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.4412_none_b457a6037b99d591\ShapeCollector.exe" /grant "everyone":(f)
      4⤵
      PID:4816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\f\InputPersonalization.exe"
    3⤵
    PID:2864
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\f\InputPersonalization.exe"
      4⤵
      PID:2028
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\f\InputPersonalization.exe" /grant "everyone":(f)
      4⤵
      PID:5116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\f\ShapeCollector.exe"
    3⤵
    PID:1628
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3212
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\f\ShapeCollector.exe"
      4⤵
      PID:3800
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\f\ShapeCollector.exe" /grant "everyone":(f)
      4⤵
      PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\InputPersonalization.exe"
    3⤵
    PID:3164
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\InputPersonalization.exe"
      4⤵
      PID:3440
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\InputPersonalization.exe" /grant "everyone":(f)
      4⤵
      PID:4780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\r\InputPersonalization.exe"
    3⤵
    PID:4136
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\r\InputPersonalization.exe"
      4⤵
      PID:1916
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\r\InputPersonalization.exe" /grant "everyone":(f)
      4⤵
      PID:4528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\r\ShapeCollector.exe"
    3⤵
    PID:620
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4720
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\r\ShapeCollector.exe"
      4⤵
      PID:3676
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\r\ShapeCollector.exe" /grant "everyone":(f)
      4⤵
      PID:4348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\ShapeCollector.exe"
    3⤵
    PID:3488
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\ShapeCollector.exe"
      4⤵
      PID:860
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\ShapeCollector.exe" /grant "everyone":(f)
      4⤵
      PID:2828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..onagent-proxyobject_31bf3856ad364e35_10.0.19041.1_none_19667e7e60cb0ccd\RdpSaProxy.exe"
    3⤵
    PID:4644
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..onagent-proxyobject_31bf3856ad364e35_10.0.19041.1_none_19667e7e60cb0ccd\RdpSaProxy.exe"
      4⤵
      PID:3596
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..onagent-proxyobject_31bf3856ad364e35_10.0.19041.1_none_19667e7e60cb0ccd\RdpSaProxy.exe" /grant "everyone":(f)
      4⤵
      PID:756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..onagent-proxyobject_31bf3856ad364e35_10.0.19041.3636_none_d80d07be76c1fa88\f\RdpSaProxy.exe"
    3⤵
    PID:3528
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..onagent-proxyobject_31bf3856ad364e35_10.0.19041.3636_none_d80d07be76c1fa88\f\RdpSaProxy.exe"
      4⤵
      PID:824
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..onagent-proxyobject_31bf3856ad364e35_10.0.19041.3636_none_d80d07be76c1fa88\f\RdpSaProxy.exe" /grant "everyone":(f)
      4⤵
      PID:1940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..onagent-proxyobject_31bf3856ad364e35_10.0.19041.3636_none_d80d07be76c1fa88\r\RdpSaProxy.exe"
    3⤵
    PID:3696
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..onagent-proxyobject_31bf3856ad364e35_10.0.19041.3636_none_d80d07be76c1fa88\r\RdpSaProxy.exe"
      4⤵
      PID:3960
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..onagent-proxyobject_31bf3856ad364e35_10.0.19041.3636_none_d80d07be76c1fa88\r\RdpSaProxy.exe" /grant "everyone":(f)
      4⤵
      PID:4584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..onagent-proxyobject_31bf3856ad364e35_10.0.19041.3636_none_d80d07be76c1fa88\RdpSaProxy.exe"
    3⤵
    PID:2664
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..onagent-proxyobject_31bf3856ad364e35_10.0.19041.3636_none_d80d07be76c1fa88\RdpSaProxy.exe"
      4⤵
      PID:3160
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..onagent-proxyobject_31bf3856ad364e35_10.0.19041.3636_none_d80d07be76c1fa88\RdpSaProxy.exe" /grant "everyone":(f)
      4⤵
      PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.388_none_57e235d809a12c5b\f\UIMgrBroker.exe"
    3⤵
    PID:2516
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.388_none_57e235d809a12c5b\f\UIMgrBroker.exe"
      4⤵
      PID:4108
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.388_none_57e235d809a12c5b\f\UIMgrBroker.exe" /grant "everyone":(f)
      4⤵
      PID:8
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.388_none_57e235d809a12c5b\r\UIMgrBroker.exe"
    3⤵
    PID:2476
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.388_none_57e235d809a12c5b\r\UIMgrBroker.exe"
      4⤵
      PID:3036
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.388_none_57e235d809a12c5b\r\UIMgrBroker.exe" /grant "everyone":(f)
      4⤵
      PID:3572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.388_none_57e235d809a12c5b\UIMgrBroker.exe"
    3⤵
    PID:4732
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.388_none_57e235d809a12c5b\UIMgrBroker.exe"
      4⤵
      PID:4500
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.388_none_57e235d809a12c5b\UIMgrBroker.exe" /grant "everyone":(f)
      4⤵
      PID:4536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.4355_none_eecc51895fed7057\f\UIMgrBroker.exe"
    3⤵
    PID:3120
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.4355_none_eecc51895fed7057\f\UIMgrBroker.exe"
      4⤵
      PID:2576
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.4355_none_eecc51895fed7057\f\UIMgrBroker.exe" /grant "everyone":(f)
      4⤵
      PID:2392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.4355_none_eecc51895fed7057\r\UIMgrBroker.exe"
    3⤵
    PID:1280
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.4355_none_eecc51895fed7057\r\UIMgrBroker.exe"
      4⤵
      PID:2176
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.4355_none_eecc51895fed7057\r\UIMgrBroker.exe" /grant "everyone":(f)
      4⤵
      PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.4355_none_eecc51895fed7057\UIMgrBroker.exe"
    3⤵
    PID:1988
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3024
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.4355_none_eecc51895fed7057\UIMgrBroker.exe"
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:968
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.4355_none_eecc51895fed7057\UIMgrBroker.exe" /grant "everyone":(f)
      4⤵
      PID:4644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..rvices-sessionagent_31bf3856ad364e35_10.0.19041.1_none_31431424ec14de3f\RdpSa.exe"
    3⤵
    PID:1828
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..rvices-sessionagent_31bf3856ad364e35_10.0.19041.1_none_31431424ec14de3f\RdpSa.exe"
      4⤵
      PID:1100
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..rvices-sessionagent_31bf3856ad364e35_10.0.19041.1_none_31431424ec14de3f\RdpSa.exe" /grant "everyone":(f)
      4⤵
      PID:3528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..rvices-sessionagent_31bf3856ad364e35_10.0.19041.3636_none_efe99d65020bcbfa\f\RdpSa.exe"
    3⤵
    PID:4132
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3708
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..rvices-sessionagent_31bf3856ad364e35_10.0.19041.3636_none_efe99d65020bcbfa\f\RdpSa.exe"
      4⤵
      PID:4584
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..rvices-sessionagent_31bf3856ad364e35_10.0.19041.3636_none_efe99d65020bcbfa\f\RdpSa.exe" /grant "everyone":(f)
      4⤵
      PID:3132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..rvices-sessionagent_31bf3856ad364e35_10.0.19041.3636_none_efe99d65020bcbfa\r\RdpSa.exe"
    3⤵
    PID:640
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..rvices-sessionagent_31bf3856ad364e35_10.0.19041.3636_none_efe99d65020bcbfa\r\RdpSa.exe"
      4⤵
      PID:576
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..rvices-sessionagent_31bf3856ad364e35_10.0.19041.3636_none_efe99d65020bcbfa\r\RdpSa.exe" /grant "everyone":(f)
      4⤵
      PID:764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..rvices-sessionagent_31bf3856ad364e35_10.0.19041.3636_none_efe99d65020bcbfa\RdpSa.exe"
    3⤵
    PID:5016
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..rvices-sessionagent_31bf3856ad364e35_10.0.19041.3636_none_efe99d65020bcbfa\RdpSa.exe"
      4⤵
      PID:8
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..rvices-sessionagent_31bf3856ad364e35_10.0.19041.3636_none_efe99d65020bcbfa\RdpSa.exe" /grant "everyone":(f)
      4⤵
      PID:1224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.3636_none_af6a305578807f3c\f\sessionmsg.exe"
    3⤵
    PID:2720
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.3636_none_af6a305578807f3c\f\sessionmsg.exe"
      4⤵
      PID:3652
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.3636_none_af6a305578807f3c\f\sessionmsg.exe" /grant "everyone":(f)
      4⤵
      PID:4548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.3636_none_af6a305578807f3c\r\sessionmsg.exe"
    3⤵
    PID:3812
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.3636_none_af6a305578807f3c\r\sessionmsg.exe"
      4⤵
      PID:3880
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.3636_none_af6a305578807f3c\r\sessionmsg.exe" /grant "everyone":(f)
      4⤵
      PID:4044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.3636_none_af6a305578807f3c\sessionmsg.exe"
    3⤵
    PID:3868
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.3636_none_af6a305578807f3c\sessionmsg.exe"
      4⤵
      Possible privilege escalation attempt
      PID:4628
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.3636_none_af6a305578807f3c\sessionmsg.exe" /grant "everyone":(f)
      4⤵
      PID:3944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.746_none_18cbe45e21fb4fcb\f\sessionmsg.exe"
    3⤵
    PID:4776
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.746_none_18cbe45e21fb4fcb\f\sessionmsg.exe"
      4⤵
      PID:1696
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.746_none_18cbe45e21fb4fcb\f\sessionmsg.exe" /grant "everyone":(f)
      4⤵
      PID:4468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.746_none_18cbe45e21fb4fcb\r\sessionmsg.exe"
    3⤵
    PID:1932
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.746_none_18cbe45e21fb4fcb\r\sessionmsg.exe"
      4⤵
      PID:1764
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.746_none_18cbe45e21fb4fcb\r\sessionmsg.exe" /grant "everyone":(f)
      4⤵
      PID:4828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.746_none_18cbe45e21fb4fcb\sessionmsg.exe"
    3⤵
    PID:1400
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.746_none_18cbe45e21fb4fcb\sessionmsg.exe"
      4⤵
      PID:2604
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.746_none_18cbe45e21fb4fcb\sessionmsg.exe" /grant "everyone":(f)
      4⤵
      PID:3256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..sionagent-uachelper_31bf3856ad364e35_10.0.19041.1_none_70aae5f3051c8851\RdpSaUacHelper.exe"
    3⤵
    PID:2364
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..sionagent-uachelper_31bf3856ad364e35_10.0.19041.1_none_70aae5f3051c8851\RdpSaUacHelper.exe"
      4⤵
      PID:3160
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..sionagent-uachelper_31bf3856ad364e35_10.0.19041.1_none_70aae5f3051c8851\RdpSaUacHelper.exe" /grant "everyone":(f)
      4⤵
      PID:892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..sionagent-uachelper_31bf3856ad364e35_10.0.19041.3636_none_2f516f331b13760c\f\RdpSaUacHelper.exe"
    3⤵
    PID:1860
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..sionagent-uachelper_31bf3856ad364e35_10.0.19041.3636_none_2f516f331b13760c\f\RdpSaUacHelper.exe"
      4⤵
      PID:2280
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..sionagent-uachelper_31bf3856ad364e35_10.0.19041.3636_none_2f516f331b13760c\f\RdpSaUacHelper.exe" /grant "everyone":(f)
      4⤵
      PID:4236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..sionagent-uachelper_31bf3856ad364e35_10.0.19041.3636_none_2f516f331b13760c\r\RdpSaUacHelper.exe"
    3⤵
    PID:3816
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..sionagent-uachelper_31bf3856ad364e35_10.0.19041.3636_none_2f516f331b13760c\r\RdpSaUacHelper.exe"
      4⤵
      PID:3196
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..sionagent-uachelper_31bf3856ad364e35_10.0.19041.3636_none_2f516f331b13760c\r\RdpSaUacHelper.exe" /grant "everyone":(f)
      4⤵
      PID:2968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..sionagent-uachelper_31bf3856ad364e35_10.0.19041.3636_none_2f516f331b13760c\RdpSaUacHelper.exe"
    3⤵
    PID:3868
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..sionagent-uachelper_31bf3856ad364e35_10.0.19041.3636_none_2f516f331b13760c\RdpSaUacHelper.exe"
      4⤵
      Possible privilege escalation attempt
      PID:4468
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..sionagent-uachelper_31bf3856ad364e35_10.0.19041.3636_none_2f516f331b13760c\RdpSaUacHelper.exe" /grant "everyone":(f)
      4⤵
      PID:4368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-controlpanel_31bf3856ad364e35_10.0.19041.1_none_95647fabfa4ec9fe\MultiDigiMon.exe"
    3⤵
    PID:3916
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-controlpanel_31bf3856ad364e35_10.0.19041.1_none_95647fabfa4ec9fe\MultiDigiMon.exe"
      4⤵
      PID:1604
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-controlpanel_31bf3856ad364e35_10.0.19041.1_none_95647fabfa4ec9fe\MultiDigiMon.exe" /grant "everyone":(f)
      4⤵
      PID:4736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-controlpanel_31bf3856ad364e35_10.0.19041.1_none_95647fabfa4ec9fe\tabcal.exe"
    3⤵
    PID:1492
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-controlpanel_31bf3856ad364e35_10.0.19041.1_none_95647fabfa4ec9fe\tabcal.exe"
      4⤵
      PID:1116
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-controlpanel_31bf3856ad364e35_10.0.19041.1_none_95647fabfa4ec9fe\tabcal.exe" /grant "everyone":(f)
      4⤵
      PID:1920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.4355_none_864935902cbc83b5\f\TabTip.exe"
    3⤵
    PID:1964
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.4355_none_864935902cbc83b5\f\TabTip.exe"
      4⤵
      PID:1400
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.4355_none_864935902cbc83b5\f\TabTip.exe" /grant "everyone":(f)
      4⤵
      PID:3632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.4355_none_864935902cbc83b5\r\TabTip.exe"
    3⤵
    PID:1100
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.4355_none_864935902cbc83b5\r\TabTip.exe"
      4⤵
      PID:2648
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.4355_none_864935902cbc83b5\r\TabTip.exe" /grant "everyone":(f)
      4⤵
      PID:4084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.4355_none_864935902cbc83b5\TabTip.exe"
    3⤵
    PID:4064
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.4355_none_864935902cbc83b5\TabTip.exe"
      4⤵
      PID:4384
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.4355_none_864935902cbc83b5\TabTip.exe" /grant "everyone":(f)
      4⤵
      PID:3252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.844_none_ef8661e4d6535c5c\f\TabTip.exe"
    3⤵
    PID:1284
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1192
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.844_none_ef8661e4d6535c5c\f\TabTip.exe"
      4⤵
      PID:1960
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.844_none_ef8661e4d6535c5c\f\TabTip.exe" /grant "everyone":(f)
      4⤵
      PID:1828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.844_none_ef8661e4d6535c5c\r\TabTip.exe"
    3⤵
    PID:5016
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.844_none_ef8661e4d6535c5c\r\TabTip.exe"
      4⤵
      PID:3704
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.844_none_ef8661e4d6535c5c\r\TabTip.exe" /grant "everyone":(f)
      4⤵
      Modifies file permissions
      PID:1224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.844_none_ef8661e4d6535c5c\TabTip.exe"
    3⤵
    PID:2516
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.844_none_ef8661e4d6535c5c\TabTip.exe"
      4⤵
      PID:4208
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.844_none_ef8661e4d6535c5c\TabTip.exe" /grant "everyone":(f)
      4⤵
      PID:840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-takeown_31bf3856ad364e35_10.0.19041.1_none_afdc734db4fba076\takeown.exe"
    3⤵
    PID:4672
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-takeown_31bf3856ad364e35_10.0.19041.1_none_afdc734db4fba076\takeown.exe"
      4⤵
      PID:4284
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-takeown_31bf3856ad364e35_10.0.19041.1_none_afdc734db4fba076\takeown.exe" /grant "everyone":(f)
      4⤵
      PID:4740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-tapicore_31bf3856ad364e35_10.0.19041.3636_none_58d16f4dfbeb0e8d\dialer.exe"
    3⤵
    PID:4196
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-tapicore_31bf3856ad364e35_10.0.19041.3636_none_58d16f4dfbeb0e8d\dialer.exe"
      4⤵
      PID:3932
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-tapicore_31bf3856ad364e35_10.0.19041.3636_none_58d16f4dfbeb0e8d\dialer.exe" /grant "everyone":(f)
      4⤵
      PID:4180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-tapicore_31bf3856ad364e35_10.0.19041.746_none_c2332356a565df1c\dialer.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1932
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-tapicore_31bf3856ad364e35_10.0.19041.746_none_c2332356a565df1c\dialer.exe"
      4⤵
      PID:3036
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-tapicore_31bf3856ad364e35_10.0.19041.746_none_c2332356a565df1c\dialer.exe" /grant "everyone":(f)
      4⤵
      System Location Discovery: System Language Discovery
      PID:1784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-tapisetup_31bf3856ad364e35_10.0.19041.3636_none_de8ac187507e7a17\TapiUnattend.exe"
    3⤵
    PID:2728
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-tapisetup_31bf3856ad364e35_10.0.19041.3636_none_de8ac187507e7a17\TapiUnattend.exe"
      4⤵
      PID:620
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-tapisetup_31bf3856ad364e35_10.0.19041.3636_none_de8ac187507e7a17\TapiUnattend.exe" /grant "everyone":(f)
      4⤵
      PID:5008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-tapisetup_31bf3856ad364e35_10.0.19041.746_none_47ec758ff9f94aa6\TapiUnattend.exe"
    3⤵
    PID:900
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-tapisetup_31bf3856ad364e35_10.0.19041.746_none_47ec758ff9f94aa6\TapiUnattend.exe"
      4⤵
      PID:4296
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-tapisetup_31bf3856ad364e35_10.0.19041.746_none_47ec758ff9f94aa6\TapiUnattend.exe" /grant "everyone":(f)
      4⤵
      PID:1280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.4474_none_9cf00f930f96448e\f\taskhostw.exe"
    3⤵
    PID:4060
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1612
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.4474_none_9cf00f930f96448e\f\taskhostw.exe"
      4⤵
      PID:2464
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.4474_none_9cf00f930f96448e\f\taskhostw.exe" /grant "everyone":(f)
      4⤵
      PID:2116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.4474_none_9cf00f930f96448e\r\taskhostw.exe"
    3⤵
    PID:3704
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.4474_none_9cf00f930f96448e\r\taskhostw.exe"
      4⤵
      PID:3840
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.4474_none_9cf00f930f96448e\r\taskhostw.exe" /grant "everyone":(f)
      4⤵
      PID:4032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.4474_none_9cf00f930f96448e\taskhostw.exe"
    3⤵
    PID:652
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.4474_none_9cf00f930f96448e\taskhostw.exe"
      4⤵
      PID:4108
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.4474_none_9cf00f930f96448e\taskhostw.exe" /grant "everyone":(f)
      4⤵
      PID:3876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.906_none_066336a1b904a848\f\taskhostw.exe"
    3⤵
    PID:4312
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.906_none_066336a1b904a848\f\taskhostw.exe"
      4⤵
      PID:4072
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.906_none_066336a1b904a848\f\taskhostw.exe" /grant "everyone":(f)
      4⤵
      PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.906_none_066336a1b904a848\r\taskhostw.exe"
    3⤵
    PID:3648
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.906_none_066336a1b904a848\r\taskhostw.exe"
      4⤵
      PID:3932
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.906_none_066336a1b904a848\r\taskhostw.exe" /grant "everyone":(f)
      4⤵
      System Location Discovery: System Language Discovery
      PID:1264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.906_none_066336a1b904a848\taskhostw.exe"
    3⤵
    PID:1116
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.906_none_066336a1b904a848\taskhostw.exe"
      4⤵
      PID:2096
- C:\Users\Admin\Downloads\trash_malware\trash malware\mbrsetup.exe
  "C:\Users\Admin\Downloads\trash_malware\trash malware\mbrsetup.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:1536

C:\Windows\msagent\AgentSvr.exe
C:\Windows\msagent\AgentSvr.exe -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1020

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4d4 0x500
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious use of SendNotifyMessage
PID:3580

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1800

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4032

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4508

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:3048

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious use of SendNotifyMessage
PID:4396

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3572

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2868

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2164

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious use of SendNotifyMessage
PID:1756

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4120

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3256

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3816

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

AppInit DLLs

T1546.010

Power Settings

T1653

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

AppInit DLLs

T1546.010

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery