hxxp://temp[.]sh/ennfh/trash_malware[.]zip

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Illerka.C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mbrsetup.exe

Windows security bypass 2 TTPs 3 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	antivirus-platinum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	antivirus-platinum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	antivirus-platinum.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components	INSTALLER.exe
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components	INSTALLER.exe
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found

Disables RegEdit via registry modification 1 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	antivirus-platinum.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Possible privilege escalation attempt 64 IoCs

exploit

pid	Process
1316	Process not Found
2600	Process not Found
1368	Process not Found
3632	icacls.exe
4580	Process not Found
996	Process not Found
464	Process not Found
1256	Process not Found
1992	Process not Found
3768	Process not Found
3252	takeown.exe
2992	icacls.exe
968	Process not Found
4728	Process not Found
4256	Process not Found
4716	Process not Found
1852	Process not Found
2840	Process not Found
4524	icacls.exe
4628	takeown.exe
3916	Process not Found
3532	Process not Found
3084	Process not Found
2492	Process not Found
4560	Process not Found
1548	Process not Found
4664	Process not Found
2756	Process not Found
412	Process not Found
1552	takeown.exe
4284	icacls.exe
4468	takeown.exe
2436	Process not Found
1304	Process not Found
1188	Process not Found
4468	Process not Found
3560	Process not Found
3812	Process not Found
4180	Process not Found
892	Process not Found
3176	Process not Found
4632	Process not Found
2644	Process not Found
4692	Process not Found
2720	Process not Found
4172	Process not Found
2380	Process not Found
3120	Process not Found
3868	Process not Found
4360	Process not Found
4576	Process not Found
788	Process not Found
3948	Process not Found
2396	Process not Found
4984	Process not Found
2540	Process not Found
1960	takeown.exe
3312	Process not Found
3028	Process not Found
420	Process not Found
3828	Process not Found
3088	Process not Found
2728	Process not Found
1172	takeown.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International\Geo\Nation	AntivirusPlatinum.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International\Geo\Nation	302746537.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International\Geo\Nation	Free YouTube Downloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International\Geo\Nation	XPAntivirus2008.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International\Geo\Nation	FreeYoutubeDownloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 42 IoCs

pid	Process
4396	Zika.exe
2700	IconDance.exe
4764	Illerka.C.exe
4624	FreeYoutubeDownloader.exe
1808	XPAntivirus2008.exe
2912	AntivirusPro2017.exe
1348	HappyAntivirus.exe
4372	svchost.exe
3024	AntivirusPlatinum.exe
2388	icons.exe
2808	Bonzify.exe
2536	Free YouTube Downloader.exe
5108	taskhost.exe
1536	mbrsetup.exe
1292	302746537.exe
3796	rhc9l0j0en3j.exe
3052	svchost.exe
5100	pphccl0j0en3j.exe
1924	taskhost.exe
4420	antivirus-platinum.exe
1932	svchost.exe
3676	taskhost.exe
1756	svchost.exe
4692	taskhost.exe
2992	svchost.exe
3244	svchost.exe
2464	taskhost.exe
2616	svchost.exe
968	taskhost.exe
4004	svchost.exe
3088	taskhost.exe
3608	INSTALLER.exe
4776	svchost.exe
2916	taskhost.exe
4728	AgentSvr.exe
4836	INSTALLER.exe
4796	svchost.exe
868	taskhost.exe
2828	svchost.exe
1020	AgentSvr.exe
2992	taskhost.exe
3340	Process not Found

Loads dropped DLL 27 IoCs

pid	Process
1808	XPAntivirus2008.exe
1808	XPAntivirus2008.exe
1808	XPAntivirus2008.exe
3796	rhc9l0j0en3j.exe
3796	rhc9l0j0en3j.exe
3796	rhc9l0j0en3j.exe
3796	rhc9l0j0en3j.exe
1980	regsvr32.exe
3088	regsvr32.exe
4420	antivirus-platinum.exe
3608	INSTALLER.exe
1932	regsvr32.exe
1100	regsvr32.exe
1268	regsvr32.exe
4668	regsvr32.exe
868	regsvr32.exe
4532	regsvr32.exe
3372	regsvr32.exe
4836	INSTALLER.exe
3696	regsvr32.exe
3696	regsvr32.exe
4248	regsvr32.exe
2808	Bonzify.exe
1020	AgentSvr.exe
1020	AgentSvr.exe
1020	AgentSvr.exe
3340	Process not Found

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1224	icacls.exe
3908	Process not Found
272	Process not Found
3256	Process not Found
4932	Process not Found
2432	Process not Found
4136	Process not Found
1244	Process not Found
1804	takeown.exe
4476	Process not Found
3964	Process not Found
1920	Process not Found
2216	Process not Found
4568	Process not Found
3172	Process not Found
4232	Process not Found
2804	Process not Found
4256	Process not Found
5044	Process not Found
3804	Process not Found
4128	Process not Found
3644	Process not Found
1388	Process not Found
2628	Process not Found
2096	Process not Found
1852	Process not Found
4184	Process not Found
4052	Process not Found
3868	Process not Found
4256	Process not Found
3952	Process not Found
3132	Process not Found
2892	Process not Found
4172	Process not Found
3420	Process not Found
4064	Process not Found
4792	Process not Found
2924	Process not Found
3236	Process not Found
3200	Process not Found
3188	Process not Found
2432	Process not Found
4112	Process not Found
3596	Process not Found
2440	Process not Found
1316	Process not Found
2036	Process not Found
4368	Process not Found
3892	Process not Found
5016	icacls.exe
968	takeown.exe
1016	Process not Found
3588	Process not Found
2692	Process not Found
2380	Process not Found
1676	Process not Found
3028	Process not Found
3236	Process not Found
3532	Process not Found
1512	Process not Found
756	takeown.exe
1264	Process not Found
3196	Process not Found
3588	Process not Found

Windows security modification 2 TTPs 3 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	antivirus-platinum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	antivirus-platinum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	antivirus-platinum.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiVirus Pro 2017 = "C:\\Users\\Admin\\Downloads\\trash_malware\\trash malware\\AntivirusPro2017.exe"	AntivirusPro2017.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet"	INSTALLER.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMrhc9l0j0en3j = "C:\\Program Files (x86)\\rhc9l0j0en3j\\rhc9l0j0en3j.exe"	XPAntivirus2008.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Free Youtube Downloader = "C:\\Windows\\Free Youtube Downloader\\Free Youtube Downloader\\Free YouTube Downloader.exe"	FreeYoutubeDownloader.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Illerka.C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Illerka.C.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mbrsetup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mbrsetup.exe

Enumerates connected drives 3 TTPs 61 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

defense_evasion privilege_escalation

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\Z:	AntivirusPro2017.exe
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\M:	AntivirusPro2017.exe
File opened (read-only)	\??\K:	AntivirusPro2017.exe
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\P:	AntivirusPro2017.exe
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\G:	AntivirusPro2017.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\V:	AntivirusPro2017.exe
File opened (read-only)	\??\H:	AntivirusPro2017.exe
File opened (read-only)	\??\T:	AntivirusPro2017.exe
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\S:	AntivirusPro2017.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\Q:	AntivirusPro2017.exe
File opened (read-only)	\??\J:	AntivirusPro2017.exe
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\R:	AntivirusPro2017.exe
File opened (read-only)	\??\O:	AntivirusPro2017.exe
File opened (read-only)	\??\U:	AntivirusPro2017.exe
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\W:	AntivirusPro2017.exe
File opened (read-only)	\??\X:	AntivirusPro2017.exe
File opened (read-only)	\??\Y:	AntivirusPro2017.exe
File opened (read-only)	\??\D:	AntivirusPro2017.exe
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\I:	AntivirusPro2017.exe
File opened (read-only)	\??\N:	AntivirusPro2017.exe
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\L:	AntivirusPro2017.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\F:	Process not Found

Power Settings 1 TTPs 3 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
3944	Process not Found
2120	Process not Found
1492	Process not Found

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	AntivirusPro2017.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\pphccl0j0en3j.exe	rhc9l0j0en3j.exe
File opened for modification	C:\Windows\SysWOW64\SETDCE9.tmp	INSTALLER.exe
File created	C:\Windows\SysWOW64\SETDCE9.tmp	INSTALLER.exe
File opened for modification	C:\Windows\SysWOW64\msvcp50.dll	INSTALLER.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000027f29-779.dat	upx
behavioral2/memory/1292-792-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4420-878-0x0000000000400000-0x000000000040D000-memory.dmp	upx
behavioral2/memory/1292-888-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/1292-894-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4420-918-0x0000000000400000-0x000000000040D000-memory.dmp	upx

Drops file in Program Files directory 52 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.dll.sys.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.dll.sys.exe	Zika.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Zika.exe
File created	C:\Program Files (x86)\rhc9l0j0en3j\rhc9l0j0en3j.exe.local	XPAntivirus2008.exe
File created	C:\Program Files\7-Zip\7zFM.dll.sys.exe	Zika.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.dll.sys.exe	Zika.exe
File created	C:\Program Files\7-Zip\Uninstall.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.dll.sys.exe	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.dll.sys.exe	Zika.exe
File created	C:\Program Files (x86)\rhc9l0j0en3j\MFC71ENU.DLL	XPAntivirus2008.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.dll.sys.exe	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.dll.sys.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Zika.exe
File created	C:\Program Files (x86)\rhc9l0j0en3j\rhc9l0j0en3j.exe	XPAntivirus2008.exe
File opened for modification	C:\Program Files\7-Zip\7zG.dll.sys.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.dll.sys.exe	Zika.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	Zika.exe
File created	C:\Program Files\7-Zip\7zG.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Zika.exe
File created	C:\Program Files (x86)\rhc9l0j0en3j\database.dat	XPAntivirus2008.exe
File created	C:\Program Files\7-Zip\7z.exe	Zika.exe
File created	C:\Program Files (x86)\rhc9l0j0en3j\license.txt	XPAntivirus2008.exe
File created	C:\Program Files (x86)\rhc9l0j0en3j\Uninstall.exe	XPAntivirus2008.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.dll.sys.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.dll.sys.exe	Zika.exe
File created	C:\Program Files (x86)\rhc9l0j0en3j\MFC71.dll	XPAntivirus2008.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll.sys.exe	Zika.exe
File created	C:\Program Files (x86)\rhc9l0j0en3j\msvcr71.dll	XPAntivirus2008.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.dll.sys.exe	Zika.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Zika.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.dll.sys.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.dll.sys.exe	Zika.exe
File created	C:\Program Files (x86)\rhc9l0j0en3j\msvcp71.dll	XPAntivirus2008.exe
File created	C:\Program Files\7-Zip\Uninstall.dll.sys.exe	Zika.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.dll.sys.exe	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Zika.exe
File created	C:\Program Files\7-Zip\7z.dll.sys.exe	Zika.exe
File created	C:\Program Files\7-Zip\7zFM.exe	Zika.exe
File created	C:\Program Files\7-Zip\7zG.dll.sys.exe	Zika.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.dll.sys.exe	Zika.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.dll.sys.exe	Zika.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\302746537.exe	AntivirusPlatinum.exe
File opened for modification	C:\Windows\302746537.exe	AntivirusPlatinum.exe
File opened for modification	C:\Windows\msagent\SETD5EF.tmp	INSTALLER.exe
File opened for modification	C:\Windows\help\SETD608.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\tvenuax.dll	INSTALLER.exe
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe	FreeYoutubeDownloader.exe
File created	C:\Windows\help\SETD608.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETD5F1.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETD605.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETD607.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETD5F1.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentDp2.dll	INSTALLER.exe
File created	C:\Windows\msagent\intl\SETD609.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETD5F0.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETD5F3.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentAnm.dll	INSTALLER.exe
File created	C:\Windows\msagent\SETD607.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\help\tv_enua.hlp	INSTALLER.exe
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe	FreeYoutubeDownloader.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_240811062	AntivirusPlatinum.exe
File opened for modification	C:\Windows\msagent\AgentCtl.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\intl\SETD609.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\SETDCE5.tmp	INSTALLER.exe
File opened for modification	C:\Windows\INF\SETD606.tmp	INSTALLER.exe
File created	C:\Windows\INF\SETDCE8.tmp	INSTALLER.exe
File created	C:\Windows\notepad.dll.sys.exe	Zika.exe
File opened for modification	C:\Windows\antivirus-platinum.exe	AntivirusPlatinum.exe
File opened for modification	C:\windows\antivirus-platinum.exe	attrib.exe
File opened for modification	C:\Windows\msagent\SETD5F2.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETD5F4.tmp	INSTALLER.exe
File created	C:\Windows\lhsp\help\SETDCE6.tmp	INSTALLER.exe
File created	C:\Windows\fonts\SETDCE7.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETD61A.tmp	INSTALLER.exe
File created	C:\Windows\lhsp\tv\SETDCE4.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\help\SETDCE6.tmp	INSTALLER.exe
File opened for modification	C:\Windows\fonts\andmoipa.ttf	INSTALLER.exe
File opened for modification	C:\Windows\INF\tv_enua.inf	INSTALLER.exe
File created	C:\Windows\MSCOMCTL.OCX	AntivirusPlatinum.exe
File created	C:\Windows\msagent\SETD5F2.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETD61A.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\SETDCE4.tmp	INSTALLER.exe
File opened for modification	C:\Windows\INF\agtinst.inf	INSTALLER.exe
File opened for modification	C:\Windows\msagent\mslwvtts.dll	INSTALLER.exe
File opened for modification	C:\Windows\notepad.dll.sys.exe	Zika.exe
File opened for modification	C:\Windows\System32	wscript.exe
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe	FreeYoutubeDownloader.exe
File created	C:\Windows\COMCTL32.OCX	AntivirusPlatinum.exe
File opened for modification	C:\Windows\COMCTL32.OCX	AntivirusPlatinum.exe
File opened for modification	C:\Windows\MSCOMCTL.OCX	AntivirusPlatinum.exe
File created	C:\Windows\msagent\SETD5EF.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentDPv.dll	INSTALLER.exe
File created	C:\Windows\msagent\SETD5F4.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentSR.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETD605.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\intl\Agt0409.dll	INSTALLER.exe
File created	C:\Windows\INF\SETD606.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgtCtl15.tlb	INSTALLER.exe
File created	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.ini	FreeYoutubeDownloader.exe
File opened for modification	C:\Windows\msagent\AgentSvr.exe	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentMPx.dll	INSTALLER.exe
File opened for modification	C:\Windows\INF\SETDCE8.tmp	INSTALLER.exe
File created	C:\Windows\finalDestruction.bin	Bonzify.exe
File created	C:\Windows\antivirus-platinum.exe	AntivirusPlatinum.exe
File created	C:\Windows\msagent\SETD5F0.tmp	INSTALLER.exe

Access Token Manipulation: Create Process with Token 1 TTPs 4 IoCs

Create Process with Token

T1134.002

pid	Process
1056	Process not Found
3944	Process not Found
780	Process not Found
2052	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3576	3340	Process not Found	2709
2280	1800	Process not Found	4362
1980	1972	Process not Found	7067
2068	4536	Process not Found	9643

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentSvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3940	Process not Found
996	Process not Found
2868	Process not Found
1304	cmd.exe
3996	cmd.exe
3008	cmd.exe
3356	Process not Found
1332	Process not Found
4824	Process not Found
4272	Process not Found
4848	Process not Found
5012	cmd.exe
1972	cmd.exe
2096	cmd.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000027eec-634.dat	nsis_installer_1
behavioral2/files/0x0007000000027eec-634.dat	nsis_installer_2
behavioral2/files/0x0008000000027f13-830.dat	nsis_installer_1
behavioral2/files/0x0008000000027f13-830.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Process not Found

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Kills process with taskkill 2 IoCs

pid	Process
1828	taskkill.exe
1012	Process not Found

Modifies Control Panel 8 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\Accessibility\Keyboard Response\Last Valid Delay = "0"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\Accessibility\MinimumHitRadius = "0"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\Cursors\Wait = "C:\\Windows\\cursors\\aero_busy.ani"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\PowerCfg\PowerPolicies\3\Description = "This scheme keeps the computer running to that it can be accessed from the network. Use this scheme if you do not have network wakeup hardware."	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International\s1159 = "Bolbi"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\International\s2359 = "Bolbi"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Control Panel\Accessibility\Keyboard Response\Flags = "126"	Process not Found

Modifies Internet Explorer settings 1 TTPs 19 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	antivirus-platinum.exe
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "YOUR PC MAY BE INFECTED WITH SPYWARE OR OTHER MALICIOUS ITEMS"	antivirus-platinum.exe
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\4\IEPropFontName = "Times New Roman"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Internet Explorer\GPU	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\26\IEPropFontName = "Simsun"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Internet Explorer\Main	antivirus-platinum.exe
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\Software\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	Process not Found

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://secureservices2010.webs.com/scan"	antivirus-platinum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://secureservices2010.webs.com/scan"	antivirus-platinum.exe

Modifies data under HKEY_USERS 30 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\1.11 = 205c2256616c696461746553657373696f6e546f6b656e5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2243616e52756e4665617475726543616368655c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22506572666f726d4c6963656e73696e674e6f74696669636174696f6e735c22203a207b205c224576656e74466c61675c22203a20323536207d207d2c205c225375624e616d657370616365735c22203a207b205c224c5655585c22203a207b205c224576656e74735c22203a207b205c224e6f456e7469746c656d656e74735c232039207b205c224576656e74466c61675c22203a203439343038207d2c205c224e6f456e7469746c656d656e74734578706572696d656f74547269676765725c22203a207b205c224576656e74466c61675c22203a203439343038207d207d207d2c205c224f6666696365436c69656e744c6963656e73696e675c22203a207b205c224576656e74735c22203a207b205c224c6963656e7365436f6d706c657465645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224c6567616379416374697669747953756363657373436f756e745c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224c656761637941637469766974794661696c757265436f756e745c22203a207b205c224576656e74466c61675c22203a2032207d207d2c205c225375624e616d657370616365735c22203a207b205c22436c69656e745c22203a207b205c224576656e74735c22203a207b205c224653686f756c6441637469766174655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d2c205c224865617275626561745c22203a207b205c224576656e74735c22203a207b205c22577269746543616368655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225265616443616368655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c22517569636b56616c69646174696f6e5c22203a207b205c224576656e74735c22203a207b205c224c6e61644c6963656e73655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c2246756c6c56616c69646174696f6e5c22203a207b205c224576656e74735c22203a207b205c224c6f61644c6963656e73655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c2250726f706572746965735c22203a207b205c224576656e74735c22203a207b205c224765744c6963656e736543617465676f72795c22203a207b205c224576656e74466b61675c22203a2032207d2c205c22546f6b656e697a654c6963656e736543617465676f726965735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c225570646174654c6963656e736543617465676f726965735c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c224272616e64696e675c22203a207b205c224576656e74735c22203a207b205c2247657441707056616c75655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2247657450726f6475637456616c75655c22203a217b205c224576656e74466c61675c22203a2032207d2c205c2253686f756c645573654d6963726f736f66743336354272616e64696e675c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c2254656e616e745c22203a207b205c224576656e74735c22203a207b205c22496e697454656e616e7449645c22203a207b205c224576656e74466c61675c21203a2032207d207d207d2c205c224e756c5c22203a207b205c225375624e616d657370616365735c22203a207b205c22466574636865725c22203a207b205c224576656e74735c22203a207b205c224765744e756c4f626a656374466f724964656e746974795c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2246657463684d6f64656c46726f6d4f6c735c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224765744c6963656e73654665617475726573466f724964656e746974795c22203a207b205c224576656f74466c61675c22203a20323536207d2c205c2243726561746552657175657374426f64795c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224d6f64656c5c22203a207b205c224576656e74735c22203a207b205c224765744c6963656e736543617465676f72795c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22476574416c6c4c6963656e736543617465676f726965735c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22446573657269616c697a655c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c225061727365526177526573706f6e73655c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2243616e52756e46656174757265526573756c74735c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c224d6f64655c22203a207b205c224576656e74735c22203a207b205c224765744d6f64655c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c224170695c22203a207b205c224576656e74735c22203a207b205c22437265617465526570756573745c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2253656e64526571756573745c22203a207b205c224576656d74466c61675c22203a20323536207d2c205c2252656365697665526573706f6e73655c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c2253746f726167655c22203a207b205c224576656e74735c22203a207b205c2247657453746f72616765506174685c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224c6f61644d6f64656c735c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22476574556e766572696669656453746f72616765506174685c22203a207c205c224576656e74466c61675c22203a20323536207d2c205c224c6f61644d6f64656c5c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c2252656e616e6546696c65546f55736555706461746564486173685c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c2256616c69646174696f6e5c22203a207b205c224576656e74735c22203a207b205c22517569636b56616c69646174696f6e5c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c2256616c696461746f725c22203a207b205c224576656e74735c22203a207b205c224d61756368696e67486172776172656449645c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d207d207d2c205c22466c6f77735c22203a207b205c224576656e74735c22203a207b205c22536561726368466f72534241546f6b656e5c22203a207b205c224576656e74466c61675c23203a20323436207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e4d616e6167656162696c697479222c20225622203a20227374643a3a77737472696e677b7b205c225375624e616d657370616365735c22203a207b205c22536572766963655c22203a207b205c224576656e74735c22203a207b205d224170706c79506f6c6963795c22203a207b205c224576656e73466c61675c22203a2032207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e4d6f786965222c20225622203a20227374643a3a77737472696e677c7b205c224576656e74466c61675c22203a203438383936207d22207d2c207b20224622203a20224d6963726f736f66742f4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e4f6666696365222c20225622203a20227374643a3a77737472696e677c7b205c224c6f636b65645c22203a2066616c73652c205c225375624e616d657370616365735c22203a207b205c224e61747572616c4c616e67756167655c22203a207b205c224c6f636b65645c22203a2066616c73652c205c225375624f616d657370616365735c22203a207b205c224372697469717565735c22203a207b205c224c6f636b65645c22203a2066616c73652c205c224576656e74735c22203a207b205c2250726f636573734175676c6f6f704372697469717565735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2250726f636573734175676c6f6f7041646443726974697174655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e4f75746c6f6f6b222c20225622203a20227374643a3a77737472696e677c7b205c225375624e616d657370616365735c22203a207b205c224465736b746f705c22203a207b205c225375624e616d657370616365735c22203a207b205c2253796e635c22203a207b205c224576656e74735c22203a207b205c2253796e6350757267654f66666c696e654974656d735c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c1f5c2256696577735c22203a207b205c224576656e74735c22203a207b205c224872566965774c6f6164436f6d706c657465645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22566965774d6f64655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e506572666f726d616e6365222c20225622203a20227374643a3a77737472696e677c7b205c225375624e616d65736f616365735c22203a207b205c22506572665363656e6172696f5c22203a207b205c224576656e74735c22203a207b205c2253636f70655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e506572736f6e616c697a6174696f6e222c20225622203a20227374643a3a77737472696e677c7b205c225375624e616d657370616365735c22203a207b205c2246696c65496e736967687443616368654d616e616765725c22203a207b205c224576656e74735c22203a207b205c2250757267654578706972656443616369655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c225369676e616c50726f636573736f725c22203a207b205c224576656e74735c22203a207b205c2253656e645369676e616c5c22203a207b205c224576656e74466c61675c22203a2032207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e50726f6772616d6d6162696c697479222c20225622203a20227374643a3a77737472696e677c7b205c225375624e616d657370616365735c22203a207b205c2254656c656d657472795c22203a207b205c224576656e74735c22203a207b205c22446e61416464496e4c6f6164586c6c46696c655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446e61416464496e4c6f616445787465726e606c446c6c5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22446e61416464496e4c6f6164446e6146696c655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22416464696e43726173685c22203a207b205c224576656e74456c61675c22203a2032207d207d207d2c205c22416464696e735c22203a207b205c224576656e74735c22203a207b205c22417070416464496e4c6f61645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22417070416464496e55736167655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22416464696e446f634c6f61645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22496e7465726e616c536574436f6e6e6563745c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d207d207d22207d2c207b20224622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e5365637572697479222c20225622203a20227374643a3a77737472696e677c7b205c224576656e74735c22203a207b205c22436c70547279557067726164654c6162656c4761696c7572655c22203a207b205c224576656e74466c61675c22203a203438383936207d207d2c205c225375624e616d657370616365735c22203a207b205c22436c705c22203a207b205c224576656e74735c22203a207b205c224d616e6461746f72794c6162656c6c696e674469616c6f675c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2253656c6563744a757374696669636174696f6e4f7074696f6e5c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2253656e7369746976697479466c796f7574416e63686f72547261636b416e645265766f6b65427574746f6e436c69636b5c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c225265676973746572446f63756d656e745c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22436c70506f6c69637946657463685c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c22436c70506f6c696379466574636843616c6c4261636b4661696c7572655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c224372656174654c6963656e736546726f6d53657269616c697a65644c6963656e73655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2250726f74656374696f6e53657269616c697a654c6963656e73655c22203a207b205c224576656e74466c61675c22203a203438383936207d2c205c2246657463684c6162656c7346726f6d5365727665725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2247657444656661756c744c6162656c49445c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224765744c6162656c735c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224766744f7574636f6d6573466f724c6162656c4368616e67655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2250726f6365737341756469744f6e506f6c6963794d617463685c22203a207b205c224576656e74466c61675c22203a2033207d2c205c2250726f6365737341756469744f6e5265706c79466f72776172645c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2250726f6365737341756469744f70656e48656c7065725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224765744275646974496e666f506e6c6963794d617463685c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224765744175646974496e676f4c6162656c416374696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224765744175646974496e666f46696c65406374696f6e5c22203a207b205c224576656e74466c61675c22203a2032207d2c205c224c6162656c696e67457870657269656e64655b22203a207b205c224576656e74466c61675c221f3a20323536207d2c205c224163644c6162656c4f627365727665725c22203a207b205c224576656e74466c61675c22203a2032207d2c205c2252656d6f76654c6162656c4f627365727665725c22203a207b205c224576656e74466c61675c22203a2032207d207d2c205c225375624e616d657370616365735c22203a207b205c22436c705c22203a1f7b205c224576656e74735c22203a207b205c22446b6550726f746563746564436f6e74656e745c22203a207b205c224576656e74466c61675c22203a203438383936207d207d207d207d207d2c205c22506f6c69637a546970735c22203a207b205c224576656e74735c22203a207b205c224d616e61676572436f6e74696e7565436c617373696669636174696f6e436c6173736966794368616e67655c22203a207b205c224576656e74466c61675c22203a2032207d2c205c22436c617373696669636174696f6e436c6173736966794368616e67655c22203a207b205c224576656e74466c61675c22203a2032207d207d207d2c205c224d6163726f5c22203a207b205c224576656e74735c22203a207b205c22426c6f636b4d6163726f46726f6d496e7465726e6574506f6c69637953657474696e675c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22456e636f756e74657265645c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22456e61626c65645c22203a207b205d224576656e74466c62675c22203a20323536207d207d207d2c205c2246696c65426c6f636b5c22203a207b205c224576656e74735c22203a207b205c2246696c65426c6f636b496e666f726d6174696f6e5c22203a207b205c224576656e74456c61675c22203a20323536207d207d207d2c205c224f43585c22203a207b205c224576656e74735c22203a207b205c2254727573746564456e636f756e7465725c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c224e6f6e54727573746564456e636f756e7465725c22203a207b205c224576656e74466c61675c22203a20323536207d2c205c22416363657373456e636f756e7465725c22203a207b205c224576656e74466c61675c22203a20323536207d207d207d2c205c22426c6f636b6564657874656e73696f6e735c22203a207b205c234476656e74735c22203a207b205c2246696c65457874656e73696f6e4c69737446726f6d536572766963655c22203a207b205c224576656e74466c61675c22203a20323536207d217d207d2c205c22536563757265526561646572486f73745c22203a207b205c224576656e74735c22203a207b205c224f70656e496e4f53525c22203a207b205c224576656e74466c62675c22203a20323536207d207d207d207d207d22207d2c207b20214622203a20224d6963726f736f66742e4f66666963652e54656c656d6574727944796e616d6963436f6e6669672e54617267657465644d6573736167696e67222c20225622203a20227374643a3a77737472696e677c7b205c224576656e74735c22203a	Process not Found
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70\Intellegnt.Eudp = "0x00000001"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-20\Control Panel\International\User Profile System Backup\ShowShiftLock = "1"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:"	Process not Found
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%systemroot%\system32\FirewallControlPanel.dll,-12122 = "Windows Defender Firewall"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\HubOffSound\ = "Off"	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\knownfolder = "0"	Process not Found
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.WiFiNetworkManager\wnsId = "System"	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-20\Control Panel\PowerCfg\PowerPolicies\4\Policies = 01000000020000000100000000000000020000000000000000000000000000002c0100003232030304000000040000000000000000000000840300002c01000000000000840300000001646464640000	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Send To OneNote 2016 = "winspool,nul:"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main\Save_Session_History_On_Exit = "no"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-20\AppEvents\Schemes\Apps\.Default\DeviceConnect\.Default\ = "%SystemRoot%\\media\\Windows Hardware Insert.wav"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-20\Console\HistoryBufferSize = "50"	Process not Found
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\drivers\ndiscap.sys,-5000 = "Microsoft NDIS Capture"	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Process not Found
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.BackupReminder\wnsId = "System"	Process not Found
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	Process not Found
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.Calling\wnsId = "System"	Process not Found
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.HelloFace\Setting = "c:toast,c:ringing,s:tickle,s:toast,s:audio,s:badge,s:banner,s:lock:badge,s:listenerEnabled,s:lock:tile,s:lock:toast,s:tile,s:voip"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-19\Control Panel\International\s2359 = "PM"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-19\Control Panel\Sound\ExtendedSounds = "yes"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-20\AppEvents\Schemes\Apps\.Default\Notification.Looping.Call2\.Default\ = "%SystemRoot%\\media\\Ring02.wav"	Process not Found
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@appmgmts.dll,-3250 = "Application Management"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-19\Control Panel\Mouse\SmoothMouseYCurve = ff00000000000000fd11010000000000002404000000000000fc12000000000000c0bb0100000000	Process not Found
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Environment\LastCopiedConfigVersion = "16.000.28287.00"	Process not Found
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-19\AppEvents\Schemes\Apps\.Default\Notification.Looping.Call3\.Default\ = "%SystemRoot%\\media\\Rinh03.wav"	Process not Found
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\nsisvc.dll,-200 = "Network Store Interface Service"	Process not Found

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\COMCTL.ListViewCtrl.1	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{373FF7F4-EB8B-11CD-8820-08002B2F4F5A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8A7-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BA90C01-3910-11D1-ACB3-00C04FD97575}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE32-8596-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE8EF600-2F82-11D1-ACAC-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0713E8D0-850A-101B-AFC0-4210102A8DA7}\ = "IProgressBar10"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8556BCD2-E01E-11CF-8E74-00A0C90F26F8}\TypeLib\Version = "1.3"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1EFB6597-857C-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BE8-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "French Phone Converter"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C787A52-E01C-11CF-8E74-00A0C90F26F8}\ = "IPanel11"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B8F2846E-CE36-11D0-AC83-00C04FD97575}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0713E8B1-850A-101B-AFC0-4210102A8DA7}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FEB-8583-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BF0-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08C75162-3C9C-11D1-91FE-00C04FD701A5}\ = "IAgentNotifySinkEx"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{373FF7F0-EB8B-11CD-8820-08002B2F4F5A}\ProgID\ = "COMCTL.Slider.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B7E6390-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4D83603-895E-11D0-B0A6-000000000000}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C91-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C8B-7B81-11D0-AC5F-00C04FD97575}\TypeLib	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE3A-8596-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F26-8591-11D1-B16A-00C0F0283628}\ProxyStubClsid32	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9ED94441-E5E8-101B-B9B5-444553540000}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\ = "Microsoft ImageList Control 6.0 (SP4)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.Slider	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BDF-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C8D-7B81-11D0-AC5F-00C04FD97575}\TypeLib\Version = "2.0"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B7E638F-850A-101B-AFC0-4210102A8DA7}\ = "Microsoft StatusBar Control, version 5.0 (SP2)"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F08DF953-8592-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BD1-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\Version = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{373FF7F4-EB8B-11CD-8820-08002B2F4F5A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{373FF7F2-EB8B-11CD-8820-08002B2F4F5A}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3996797005-1442104920-3698332314-1000\{DC0243F2-57B8-4A68-BE70-4CDC20669782}	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ACBB957-5C57-11CF-8993-00AA00688B10}\ = "ListView Images Property Page Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EFB6594-857C-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F22-8591-11D1-B16A-00C0F0283628}\ = "ImageListEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA665-8594-11D1-B16A-00C0F0283628}\ProxyStubClsid32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BA90C00-3910-11D1-ACB3-00C04FD97575}\TypeLib	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58DA8D8A-9D6A-101B-AFC0-4210102A8DA7}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0713E8A2-850A-101B-AFC0-4210102A8DA7}\MiscStatus\1\ = "131473"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B7E6390-850A-101B-AFC0-4210102A8DA7}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDD1F04E-858B-11D1-B16A-00C0F0283628}\ = "IListItem"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BF877892-E026-11CF-8E74-00A0C90F26F8}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE39-8596-11D1-B16A-00C0F0283628}\ = "StatusBar General Property Page Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4D83603-895E-11D0-B0A6-000000000000}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867AA-8586-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8A1-850A-101B-AFC0-4210102A8DA7}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E8D1-850A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BF877896-E026-11CF-8E74-00A0C90F26F8}\TypeLib	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C787A50-E01C-11CF-8E74-00A0C90F26F8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA664-8594-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48D12BA0-5B77-11D1-9EC1-00C04FD7081F}	AgentSvr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3996797005-1442104920-3698332314-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "409;9"	Process not Found

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\trash_malware.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
4764	Illerka.C.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe
1536	mbrsetup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3796	rhc9l0j0en3j.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	firefox.exe
Token: SeDebugPrivilege	2880	firefox.exe
Token: SeDebugPrivilege	2880	firefox.exe
Token: SeDebugPrivilege	2880	firefox.exe
Token: SeDebugPrivilege	2880	firefox.exe
Token: SeDebugPrivilege	2880	firefox.exe
Token: SeRestorePrivilege	1320	7zG.exe
Token: 35	1320	7zG.exe
Token: SeSecurityPrivilege	1320	7zG.exe
Token: SeSecurityPrivilege	1320	7zG.exe
Token: SeDebugPrivilege	4396	Zika.exe
Token: SeDebugPrivilege	4764	Illerka.C.exe
Token: SeDebugPrivilege	1536	mbrsetup.exe
Token: SeDebugPrivilege	1828	taskkill.exe
Token: SeDebugPrivilege	3796	rhc9l0j0en3j.exe
Token: SeTakeOwnershipPrivilege	4500	takeown.exe
Token: SeTakeOwnershipPrivilege	3708	takeown.exe
Token: SeTakeOwnershipPrivilege	1860	takeown.exe
Token: SeTakeOwnershipPrivilege	4816	takeown.exe
Token: SeTakeOwnershipPrivilege	3624	takeown.exe
Token: SeTakeOwnershipPrivilege	3908	takeown.exe
Token: SeTakeOwnershipPrivilege	5104	takeown.exe
Token: SeTakeOwnershipPrivilege	4564	takeown.exe
Token: SeTakeOwnershipPrivilege	1284	takeown.exe
Token: SeTakeOwnershipPrivilege	1552	takeown.exe
Token: SeTakeOwnershipPrivilege	1804	takeown.exe
Token: SeTakeOwnershipPrivilege	4504	takeown.exe
Token: 33	1020	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	1020	AgentSvr.exe
Token: SeTakeOwnershipPrivilege	900	takeown.exe
Token: SeTakeOwnershipPrivilege	3032	takeown.exe
Token: SeTakeOwnershipPrivilege	2892	takeown.exe
Token: SeTakeOwnershipPrivilege	2364	takeown.exe
Token: SeTakeOwnershipPrivilege	1676	takeown.exe
Token: SeTakeOwnershipPrivilege	3764	takeown.exe
Token: SeTakeOwnershipPrivilege	3832	takeown.exe
Token: SeTakeOwnershipPrivilege	3704	takeown.exe
Token: SeTakeOwnershipPrivilege	1912	takeown.exe
Token: SeTakeOwnershipPrivilege	3560	takeown.exe
Token: SeTakeOwnershipPrivilege	5116	takeown.exe
Token: SeTakeOwnershipPrivilege	3164	takeown.exe
Token: SeTakeOwnershipPrivilege	2396	takeown.exe
Token: SeTakeOwnershipPrivilege	4624	takeown.exe
Token: SeTakeOwnershipPrivilege	3696	takeown.exe
Token: SeTakeOwnershipPrivilege	1996	takeown.exe
Token: SeTakeOwnershipPrivilege	4636	takeown.exe
Token: SeTakeOwnershipPrivilege	1072	takeown.exe
Token: SeTakeOwnershipPrivilege	4472	takeown.exe
Token: 33	2076	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2076	AUDIODG.EXE
Token: SeTakeOwnershipPrivilege	2664	takeown.exe
Token: SeTakeOwnershipPrivilege	640	takeown.exe
Token: SeTakeOwnershipPrivilege	956	takeown.exe
Token: SeTakeOwnershipPrivilege	3432	takeown.exe
Token: SeTakeOwnershipPrivilege	3120	takeown.exe
Token: SeTakeOwnershipPrivilege	2864	takeown.exe
Token: SeTakeOwnershipPrivilege	188	takeown.exe
Token: SeTakeOwnershipPrivilege	3996	takeown.exe
Token: SeTakeOwnershipPrivilege	5008	takeown.exe
Token: SeTakeOwnershipPrivilege	3532	takeown.exe
Token: SeTakeOwnershipPrivilege	2532	takeown.exe
Token: SeTakeOwnershipPrivilege	2120	takeown.exe
Token: SeTakeOwnershipPrivilege	1316	takeown.exe
Token: SeTakeOwnershipPrivilege	4172	takeown.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
1320	7zG.exe
2912	AntivirusPro2017.exe
2912	AntivirusPro2017.exe
1348	HappyAntivirus.exe
2912	AntivirusPro2017.exe
2536	Free YouTube Downloader.exe
3796	rhc9l0j0en3j.exe
1020	AgentSvr.exe
1020	AgentSvr.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe
4420	antivirus-platinum.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2912	AntivirusPro2017.exe
2912	AntivirusPro2017.exe
1348	HappyAntivirus.exe
2912	AntivirusPro2017.exe
2536	Free YouTube Downloader.exe
3796	rhc9l0j0en3j.exe
1020	AgentSvr.exe
1020	AgentSvr.exe
2912	AntivirusPro2017.exe
2912	AntivirusPro2017.exe
2912	AntivirusPro2017.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
4396	explorer.exe
1756	explorer.exe
1756	explorer.exe
1756	explorer.exe
1756	explorer.exe
1756	explorer.exe
1756	explorer.exe
3796	rhc9l0j0en3j.exe
1756	explorer.exe
1756	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2880	firefox.exe
2912	AntivirusPro2017.exe
2912	AntivirusPro2017.exe
3796	rhc9l0j0en3j.exe
3796	rhc9l0j0en3j.exe
3796	rhc9l0j0en3j.exe
4420	antivirus-platinum.exe
4032	StartMenuExperienceHost.exe
4508	TextInputHost.exe
4508	TextInputHost.exe
1800	SearchApp.exe
3572	StartMenuExperienceHost.exe
2868	TextInputHost.exe
2868	TextInputHost.exe
2164	SearchApp.exe
4120	StartMenuExperienceHost.exe
3256	TextInputHost.exe
3256	TextInputHost.exe
3816	SearchApp.exe
1692	Process not Found
3952	Process not Found
3952	Process not Found
3160	Process not Found
3740	Process not Found
4664	Process not Found
4664	Process not Found
5104	Process not Found
2080	Process not Found
2080	Process not Found
4548	Process not Found
3796	rhc9l0j0en3j.exe
4476	Process not Found
3932	Process not Found
4548	Process not Found
4548	Process not Found
3256	Process not Found
4364	Process not Found
4364	Process not Found
2364	Process not Found
1636	Process not Found
1372	Process not Found
1372	Process not Found
2432	Process not Found
8	Process not Found
4088	Process not Found
4088	Process not Found
4744	Process not Found
3112	Process not Found
3468	Process not Found
3468	Process not Found
2512	Process not Found
4412	Process not Found
1764	Process not Found
1764	Process not Found
3244	Process not Found
1756	Process not Found
3892	Process not Found
3892	Process not Found
4408	Process not Found
4136	Process not Found
2968	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 2880	4828	firefox.exe	84
PID 4828 wrote to memory of 2880	4828	firefox.exe	84
PID 4828 wrote to memory of 2880	4828	firefox.exe	84
PID 4828 wrote to memory of 2880	4828	firefox.exe	84
PID 4828 wrote to memory of 2880	4828	firefox.exe	84
PID 4828 wrote to memory of 2880	4828	firefox.exe	84
PID 4828 wrote to memory of 2880	4828	firefox.exe	84
PID 4828 wrote to memory of 2880	4828	firefox.exe	84
PID 4828 wrote to memory of 2880	4828	firefox.exe	84
PID 4828 wrote to memory of 2880	4828	firefox.exe	84
PID 4828 wrote to memory of 2880	4828	firefox.exe	84
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 2808	2880	firefox.exe	85
PID 2880 wrote to memory of 1760	2880	firefox.exe	86
PID 2880 wrote to memory of 1760	2880	firefox.exe	86
PID 2880 wrote to memory of 1760	2880	firefox.exe	86
PID 2880 wrote to memory of 1760	2880	firefox.exe	86
PID 2880 wrote to memory of 1760	2880	firefox.exe	86
PID 2880 wrote to memory of 1760	2880	firefox.exe	86
PID 2880 wrote to memory of 1760	2880	firefox.exe	86
PID 2880 wrote to memory of 1760	2880	firefox.exe	86

System policy modification 1 TTPs 9 IoCs

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "ATTENTION!"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Your PC has been wrecked by Bolbi!"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Illerka.C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mbrsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	antivirus-platinum.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	antivirus-platinum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "67108863"	antivirus-platinum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	antivirus-platinum.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

Hidden Files and Directories

T1564.001

pid	Process
3060	attrib.exe

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://temp.sh/ennfh/trash_malware.zip"
1⤵
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://temp.sh/ennfh/trash_malware.zip
  2⤵
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1864 -prefMapHandle 1856 -prefsLen 27373 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6dfdb714-8f0b-4b71-aaa5-b4001ff9812f} 2880 "\\.\pipe\gecko-crash-server-pipe.2880" gpu
    3⤵
    PID:2808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2440 -parentBuildID 20240401114208 -prefsHandle 2416 -prefMapHandle 2412 -prefsLen 28293 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d90fcd83-519c-49df-816d-564ea8989abb} 2880 "\\.\pipe\gecko-crash-server-pipe.2880" socket
    3⤵
    - Checks processor information in registry
    PID:1760
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3248 -childID 1 -isForBrowser -prefsHandle 2840 -prefMapHandle 3148 -prefsLen 22684 -prefMapSize 244628 -jsInitHandle 1020 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9047b30e-6e4c-414c-a959-942f1685c7d3} 2880 "\\.\pipe\gecko-crash-server-pipe.2880" tab
    3⤵
    PID:3104
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3088 -childID 2 -isForBrowser -prefsHandle 4060 -prefMapHandle 4056 -prefsLen 32783 -prefMapSize 244628 -jsInitHandle 1020 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29550145-a723-45b9-b8b6-ce97a51d9417} 2880 "\\.\pipe\gecko-crash-server-pipe.2880" tab
    3⤵
    PID:1800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4892 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4924 -prefMapHandle 4920 -prefsLen 32783 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01a049da-0c90-45de-acc3-4ee7cf553444} 2880 "\\.\pipe\gecko-crash-server-pipe.2880" utility
    3⤵
    - Checks processor information in registry
    PID:4752
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5360 -childID 3 -isForBrowser -prefsHandle 5328 -prefMapHandle 5332 -prefsLen 26976 -prefMapSize 244628 -jsInitHandle 1020 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {445d2681-9301-40cf-bcbc-01162a5c8eeb} 2880 "\\.\pipe\gecko-crash-server-pipe.2880" tab
    3⤵
    PID:2220
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4780 -childID 4 -isForBrowser -prefsHandle 5632 -prefMapHandle 5532 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1020 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5671184f-3948-45d6-9d3e-43e48d07b49b} 2880 "\\.\pipe\gecko-crash-server-pipe.2880" tab
    3⤵
    PID:3744
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5828 -childID 5 -isForBrowser -prefsHandle 5848 -prefMapHandle 5860 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1020 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3fad686-4aa8-4dd2-a445-b74bb01b835a} 2880 "\\.\pipe\gecko-crash-server-pipe.2880" tab
    3⤵
    PID:1652
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5928 -childID 6 -isForBrowser -prefsHandle 5936 -prefMapHandle 5940 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1020 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {550850eb-02ad-4fdc-840f-bda255be9571} 2880 "\\.\pipe\gecko-crash-server-pipe.2880" tab
    3⤵
    PID:1348

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\trash_malware\" -spe -an -ai#7zMap16134:88:7zEvent27514
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1320

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\trash_malware\trash malware\stupidy fuckity malware.bat" "
1⤵
- Checks computer location settings
PID:3784
- C:\Windows\system32\msg.exe
  msg * you did a mistake...
  2⤵
  PID:984
- C:\Users\Admin\Downloads\trash_malware\trash malware\Zika.exe
  Zika.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4396
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe" -extract C:\Program Files\7-Zip\7z.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, icongroup,,
    3⤵
    - Executes dropped EXE
    PID:4372
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.res
    3⤵
    - Executes dropped EXE
    PID:5108
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe" -extract C:\Program Files\7-Zip\7zFM.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, icongroup,,
    3⤵
    - Executes dropped EXE
    PID:3052
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.res
    3⤵
    - Executes dropped EXE
    PID:1924
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe" -extract C:\Program Files\7-Zip\7zG.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, icongroup,,
    3⤵
    - Executes dropped EXE
    PID:1932
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.res
    3⤵
    - Executes dropped EXE
    PID:3676
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe" -extract C:\Program Files\7-Zip\Uninstall.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, icongroup,,
    3⤵
    - Executes dropped EXE
    PID:1756
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.res
    3⤵
    - Executes dropped EXE
    PID:4692
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe" -addoverwrite C:\Program Files\7-Zip\Uninstall.exe", "C:\Program Files\7-Zip\Uninstall.exe, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.res, icongroup,,
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2992
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe" -extract C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, icongroup,,
    3⤵
    - Executes dropped EXE
    PID:3244
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.res
    3⤵
    - Executes dropped EXE
    PID:2464
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe" -extract C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, icongroup,,
    3⤵
    - Executes dropped EXE
    PID:2616
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.res
    3⤵
    - Executes dropped EXE
    PID:968
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe" -extract C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, icongroup,,
    3⤵
    - Executes dropped EXE
    PID:4004
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.res
    3⤵
    - Executes dropped EXE
    PID:3088
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe" -extract C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, icongroup,,
    3⤵
    - Executes dropped EXE
    PID:4776
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.res
    3⤵
    - Executes dropped EXE
    PID:2916
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe" -extract C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, icongroup,,
    3⤵
    - Executes dropped EXE
    PID:4796
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.res
    3⤵
    - Executes dropped EXE
    PID:868
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\svchost.exe" -extract C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, icongroup,,
    3⤵
    - Executes dropped EXE
    PID:2828
- - C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe
    "C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.rc, C:\Users\Admin\AppData\Local\Temp\0f723b5379544207a1c5a8739d18a22d\icons.res
    3⤵
    - Executes dropped EXE
    PID:2992
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\trash_malware\trash malware\Bolbi.vbs"
  2⤵
  - Checks computer location settings
  PID:900
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" "C:\Users\Admin\Downloads\trash_malware\trash malware\Bolbi.vbs" /elevated
    3⤵
    - Drops file in Windows directory
    - Modifies Control Panel
    - System policy modification
    PID:456
- C:\Users\Admin\Downloads\trash_malware\trash malware\IconDance.exe
  IconDance.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Users\Admin\Downloads\trash_malware\trash malware\Illerka.C.exe
  Illerka.C.exe
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:4764
- C:\Users\Admin\Downloads\trash_malware\trash malware\FreeYoutubeDownloader.exe
  FreeYoutubeDownloader.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  PID:4624
- - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
    "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2536
- C:\Users\Admin\Downloads\trash_malware\trash malware\XPAntivirus2008.exe
  XPAntivirus2008.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  PID:1808
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B C:\Users\Admin\AppData\Local\Temp\pin.vbs "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Antivirus XP 2008" "Antivirus XP 2008.lnk"
    3⤵
    - Checks computer location settings
    PID:2116
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B C:\Users\Admin\AppData\Local\Temp\pin.vbs "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Antivirus XP 2008" "Register Antivirus XP 2008.lnk"
    3⤵
    - Checks computer location settings
    PID:1860
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c kofi.bat "C:\Users\Admin\Downloads\trash_malware\trash malware\XPAntivirus2008.exe"
    3⤵
    PID:4392
- - C:\Program Files (x86)\rhc9l0j0en3j\rhc9l0j0en3j.exe
    "C:\Program Files (x86)\rhc9l0j0en3j\rhc9l0j0en3j.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:3796
  - - C:\Windows\SysWOW64\pphccl0j0en3j.exe
      "C:\Windows\system32\pphccl0j0en3j.exe"
      4⤵
      Executes dropped EXE
      PID:5100
- C:\Users\Admin\Downloads\trash_malware\trash malware\AntivirusPro2017.exe
  AntivirusPro2017.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2912
- C:\Users\Admin\Downloads\trash_malware\trash malware\HappyAntivirus.exe
  HappyAntivirus.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1348
- C:\Users\Admin\Downloads\trash_malware\trash malware\AntivirusPlatinum.exe
  AntivirusPlatinum.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:3024
- - C:\WINDOWS\302746537.exe
    "C:\WINDOWS\302746537.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:1292
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8445.tmp\302746537.bat" "
      4⤵
      PID:2644
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s c:\windows\comctl32.ocx
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:1980
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s c:\windows\mscomctl.ocx
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:3088
    - - \??\c:\windows\antivirus-platinum.exe
        
        c:\windows\antivirus-platinum.exe
        5⤵
        Windows security bypass
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4420
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h c:\windows\antivirus-platinum.exe
        5⤵
        Drops file in Windows directory
        Views/modifies file attributes
        
        PID:3060
- C:\Users\Admin\Downloads\trash_malware\trash malware\icons.exe
  icons.exe
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Users\Admin\Downloads\trash_malware\trash malware\Bonzify.exe
  Bonzify.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KillAgent.bat"
    3⤵
    PID:1552
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im AgentSvr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1828
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /r /d y /f C:\Windows\MsAgent
      4⤵
      PID:4172
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\MsAgent /c /t /grant "everyone":(f)
      4⤵
      PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\AuditShD.exe"
    3⤵
    PID:3572
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\AuditShD.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4500
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\AuditShD.exe" /grant "everyone":(f)
      4⤵
      PID:652
- - C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
    INSTALLER.exe /q
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:3608
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentCtl.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:1932
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentDPv.dll"
      4⤵
      Loads dropped DLL
      PID:1100
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\mslwvtts.dll"
      4⤵
      Loads dropped DLL
      PID:1268
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentDP2.dll"
      4⤵
      Loads dropped DLL
      PID:4668
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentMPx.dll"
      4⤵
      Loads dropped DLL
      PID:868
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentSR.dll"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:4532
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentPsh.dll"
      4⤵
      Loads dropped DLL
      PID:3372
  - - C:\Windows\msagent\AgentSvr.exe
      "C:\Windows\msagent\AgentSvr.exe" /regserver
      4⤵
      Executes dropped EXE
      Modifies registry class
      PID:4728
  - - C:\Windows\SysWOW64\grpconv.exe
      grpconv.exe -o
      4⤵
      PID:4480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\f\audit.exe"
    3⤵
    PID:2492
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\f\audit.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3708
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\f\audit.exe" /grant "everyone":(f)
      4⤵
      PID:1828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\f\AuditShD.exe"
    3⤵
    PID:2376
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\f\AuditShD.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1860
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\f\AuditShD.exe" /grant "everyone":(f)
      4⤵
      PID:3960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\f\Setup.exe"
    3⤵
    PID:1992
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\f\Setup.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4816
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\f\Setup.exe" /grant "everyone":(f)
      4⤵
      PID:3704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\r\audit.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:788
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\r\audit.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3624
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\r\audit.exe" /grant "everyone":(f)
      4⤵
      PID:1292
- - C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
    INSTALLER.exe /q
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:4836
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll
      4⤵
      Loads dropped DLL
      PID:3696
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:4248
  - - C:\Windows\SysWOW64\grpconv.exe
      grpconv.exe -o
      4⤵
      PID:4348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\r\AuditShD.exe"
    3⤵
    PID:3392
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\r\AuditShD.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3908
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\r\AuditShD.exe" /grant "everyone":(f)
      4⤵
      PID:2524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\r\Setup.exe"
    3⤵
    PID:1644
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\r\Setup.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5104
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\r\Setup.exe" /grant "everyone":(f)
      4⤵
      PID:4816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\Setup.exe"
    3⤵
    PID:652
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\Setup.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4564
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\Setup.exe" /grant "everyone":(f)
      4⤵
      PID:3048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\audit.exe"
    3⤵
    PID:4284
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\audit.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1284
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\audit.exe" /grant "everyone":(f)
      4⤵
      PID:1912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\AuditShD.exe"
    3⤵
    PID:3120
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\AuditShD.exe"
      4⤵
      Possible privilege escalation attempt
      Suspicious use of AdjustPrivilegeToken
      PID:1552
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\AuditShD.exe" /grant "everyone":(f)
      4⤵
      PID:348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\f\audit.exe"
    3⤵
    PID:2096
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\f\audit.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1804
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\f\audit.exe" /grant "everyone":(f)
      4⤵
      PID:5116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\f\AuditShD.exe"
    3⤵
    PID:1692
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\f\AuditShD.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4504
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\f\AuditShD.exe" /grant "everyone":(f)
      4⤵
      PID:4692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\f\Setup.exe"
    3⤵
    PID:4740
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\f\Setup.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:900
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\f\Setup.exe" /grant "everyone":(f)
      4⤵
      PID:4828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\r\audit.exe"
    3⤵
    PID:3532
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\r\audit.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3032
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\r\audit.exe" /grant "everyone":(f)
      4⤵
      PID:3696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\r\AuditShD.exe"
    3⤵
    PID:2120
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\r\AuditShD.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2892
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\r\AuditShD.exe" /grant "everyone":(f)
      4⤵
      PID:3784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\r\Setup.exe"
    3⤵
    PID:4472
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\r\Setup.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2364
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\r\Setup.exe" /grant "everyone":(f)
      4⤵
      PID:5016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\Setup.exe"
    3⤵
    PID:4660
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\Setup.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1676
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.4355_none_a6e69e18627c7f2e\Setup.exe" /grant "everyone":(f)
      4⤵
      PID:1100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-mbr2gpt_31bf3856ad364e35_10.0.19041.1237_none_6b74aa3973213895\f\MBR2GPT.EXE"
    3⤵
    PID:2024
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-mbr2gpt_31bf3856ad364e35_10.0.19041.1237_none_6b74aa3973213895\f\MBR2GPT.EXE"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3764
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-mbr2gpt_31bf3856ad364e35_10.0.19041.1237_none_6b74aa3973213895\f\MBR2GPT.EXE" /grant "everyone":(f)
      4⤵
      PID:5104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-mbr2gpt_31bf3856ad364e35_10.0.19041.1237_none_6b74aa3973213895\MBR2GPT.EXE"
    3⤵
    PID:3580
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-mbr2gpt_31bf3856ad364e35_10.0.19041.1237_none_6b74aa3973213895\MBR2GPT.EXE"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3832
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-mbr2gpt_31bf3856ad364e35_10.0.19041.1237_none_6b74aa3973213895\MBR2GPT.EXE" /grant "everyone":(f)
      4⤵
      PID:640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-mbr2gpt_31bf3856ad364e35_10.0.19041.1237_none_6b74aa3973213895\r\MBR2GPT.EXE"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4580
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-mbr2gpt_31bf3856ad364e35_10.0.19041.1237_none_6b74aa3973213895\r\MBR2GPT.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3704
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-mbr2gpt_31bf3856ad364e35_10.0.19041.1237_none_6b74aa3973213895\r\MBR2GPT.EXE" /grant "everyone":(f)
      4⤵
      PID:764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-mbr2gpt_31bf3856ad364e35_10.0.19041.4355_none_6b6c0e2373274b67\f\MBR2GPT.EXE"
    3⤵
    PID:1192
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-mbr2gpt_31bf3856ad364e35_10.0.19041.4355_none_6b6c0e2373274b67\f\MBR2GPT.EXE"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1912
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-mbr2gpt_31bf3856ad364e35_10.0.19041.4355_none_6b6c0e2373274b67\f\MBR2GPT.EXE" /grant "everyone":(f)
      4⤵
      Possible privilege escalation attempt
      PID:4524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-mbr2gpt_31bf3856ad364e35_10.0.19041.4355_none_6b6c0e2373274b67\MBR2GPT.EXE"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1784
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-mbr2gpt_31bf3856ad364e35_10.0.19041.4355_none_6b6c0e2373274b67\MBR2GPT.EXE"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3560
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-mbr2gpt_31bf3856ad364e35_10.0.19041.4355_none_6b6c0e2373274b67\MBR2GPT.EXE" /grant "everyone":(f)
      4⤵
      PID:4100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setup-mbr2gpt_31bf3856ad364e35_10.0.19041.4355_none_6b6c0e2373274b67\r\MBR2GPT.EXE"
    3⤵
    PID:2976
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setup-mbr2gpt_31bf3856ad364e35_10.0.19041.4355_none_6b6c0e2373274b67\r\MBR2GPT.EXE"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5116
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setup-mbr2gpt_31bf3856ad364e35_10.0.19041.4355_none_6b6c0e2373274b67\r\MBR2GPT.EXE" /grant "everyone":(f)
      4⤵
      PID:1920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_a9b815907b71fe1a\f\wowreg32.exe"
    3⤵
    PID:2096
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_a9b815907b71fe1a\f\wowreg32.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3164
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_a9b815907b71fe1a\f\wowreg32.exe" /grant "everyone":(f)
      4⤵
      PID:620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_a9b815907b71fe1a\r\wowreg32.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4504
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_a9b815907b71fe1a\r\wowreg32.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2396
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_a9b815907b71fe1a\r\wowreg32.exe" /grant "everyone":(f)
      4⤵
      PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_a9b815907b71fe1a\wowreg32.exe"
    3⤵
    PID:4744
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_a9b815907b71fe1a\wowreg32.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4624
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_a9b815907b71fe1a\wowreg32.exe" /grant "everyone":(f)
      4⤵
      PID:4740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.4355_none_a9af797a7b7810ec\f\wowreg32.exe"
    3⤵
    PID:4144
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.4355_none_a9af797a7b7810ec\f\wowreg32.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3696
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.4355_none_a9af797a7b7810ec\f\wowreg32.exe" /grant "everyone":(f)
      4⤵
      PID:3532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.4355_none_a9af797a7b7810ec\r\wowreg32.exe"
    3⤵
    PID:1524
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.4355_none_a9af797a7b7810ec\r\wowreg32.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1996
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.4355_none_a9af797a7b7810ec\r\wowreg32.exe" /grant "everyone":(f)
      4⤵
      PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.4355_none_a9af797a7b7810ec\wowreg32.exe"
    3⤵
    PID:2908
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.4355_none_a9af797a7b7810ec\wowreg32.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4636
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.4355_none_a9af797a7b7810ec\wowreg32.exe" /grant "everyone":(f)
      4⤵
      System Location Discovery: System Language Discovery
      PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setupcl_31bf3856ad364e35_10.0.19041.1_none_0ea013578aa5744f\setupcl.exe"
    3⤵
    PID:4004
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setupcl_31bf3856ad364e35_10.0.19041.1_none_0ea013578aa5744f\setupcl.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1072
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setupcl_31bf3856ad364e35_10.0.19041.1_none_0ea013578aa5744f\setupcl.exe" /grant "everyone":(f)
      4⤵
      PID:4784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setupcl_31bf3856ad364e35_10.0.19041.3636_none_cd469c97a09c620a\f\setupcl.exe"
    3⤵
    PID:1916
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setupcl_31bf3856ad364e35_10.0.19041.3636_none_cd469c97a09c620a\f\setupcl.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4472
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setupcl_31bf3856ad364e35_10.0.19041.3636_none_cd469c97a09c620a\f\setupcl.exe" /grant "everyone":(f)
      4⤵
      PID:1100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setupcl_31bf3856ad364e35_10.0.19041.3636_none_cd469c97a09c620a\r\setupcl.exe"
    3⤵
    PID:4720
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setupcl_31bf3856ad364e35_10.0.19041.3636_none_cd469c97a09c620a\r\setupcl.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2664
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setupcl_31bf3856ad364e35_10.0.19041.3636_none_cd469c97a09c620a\r\setupcl.exe" /grant "everyone":(f)
      4⤵
      PID:4500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setupcl_31bf3856ad364e35_10.0.19041.3636_none_cd469c97a09c620a\setupcl.exe"
    3⤵
    PID:3392
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setupcl_31bf3856ad364e35_10.0.19041.3636_none_cd469c97a09c620a\setupcl.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:640
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setupcl_31bf3856ad364e35_10.0.19041.3636_none_cd469c97a09c620a\setupcl.exe" /grant "everyone":(f)
      4⤵
      PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-setx_31bf3856ad364e35_10.0.19041.1_none_6267e352b86de969\setx.exe"
    3⤵
    PID:1800
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-setx_31bf3856ad364e35_10.0.19041.1_none_6267e352b86de969\setx.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:956
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-setx_31bf3856ad364e35_10.0.19041.1_none_6267e352b86de969\setx.exe" /grant "everyone":(f)
      4⤵
      PID:652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.4522_none_796f2211fe991df8\f\icsunattend.exe"
    3⤵
    PID:3160
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.4522_none_796f2211fe991df8\f\icsunattend.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3432
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.4522_none_796f2211fe991df8\f\icsunattend.exe" /grant "everyone":(f)
      4⤵
      PID:4296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.4522_none_796f2211fe991df8\icsunattend.exe"
    3⤵
    PID:2028
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.4522_none_796f2211fe991df8\icsunattend.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3120
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.4522_none_796f2211fe991df8\icsunattend.exe" /grant "everyone":(f)
      4⤵
      PID:1492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.4522_none_796f2211fe991df8\r\icsunattend.exe"
    3⤵
    PID:1552
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.4522_none_796f2211fe991df8\r\icsunattend.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2864
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.4522_none_796f2211fe991df8\r\icsunattend.exe" /grant "everyone":(f)
      4⤵
      PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\f\icsunattend.exe"
    3⤵
    PID:1972
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\f\icsunattend.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:188
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\f\icsunattend.exe" /grant "everyone":(f)
      4⤵
      PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\icsunattend.exe"
    3⤵
    PID:2644
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\icsunattend.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3996
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\icsunattend.exe" /grant "everyone":(f)
      4⤵
      PID:3080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\r\icsunattend.exe"
    3⤵
    PID:2176
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\r\icsunattend.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5008
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\r\icsunattend.exe" /grant "everyone":(f)
      4⤵
      PID:3248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.3636_none_2cb4cb9be6df2714\shrpubw.exe"
    3⤵
    PID:4828
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.3636_none_2cb4cb9be6df2714\shrpubw.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3532
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.3636_none_2cb4cb9be6df2714\shrpubw.exe" /grant "everyone":(f)
      4⤵
      PID:60
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_96167fa49059f7a3\shrpubw.exe"
    3⤵
    PID:3632
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_96167fa49059f7a3\shrpubw.exe"
      4⤵
      PID:3936
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_96167fa49059f7a3\shrpubw.exe" /grant "everyone":(f)
      4⤵
      PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shell-customshellhost_31bf3856ad364e35_10.0.19041.1202_none_fd57358454385601\CustomShellHost.exe"
    3⤵
    PID:3968
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shell-customshellhost_31bf3856ad364e35_10.0.19041.1202_none_fd57358454385601\CustomShellHost.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2532
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shell-customshellhost_31bf3856ad364e35_10.0.19041.1202_none_fd57358454385601\CustomShellHost.exe" /grant "everyone":(f)
      4⤵
      PID:1960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shell-customshellhost_31bf3856ad364e35_10.0.19041.1202_none_fd57358454385601\n\CustomShellHost.exe"
    3⤵
    PID:2828
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shell-customshellhost_31bf3856ad364e35_10.0.19041.1202_none_fd57358454385601\n\CustomShellHost.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2120
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shell-customshellhost_31bf3856ad364e35_10.0.19041.1202_none_fd57358454385601\n\CustomShellHost.exe" /grant "everyone":(f)
      4⤵
      PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shell-customshellhost_31bf3856ad364e35_10.0.19041.4474_none_fd486fd4544269fb\CustomShellHost.exe"
    3⤵
    PID:824
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shell-customshellhost_31bf3856ad364e35_10.0.19041.4474_none_fd486fd4544269fb\CustomShellHost.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1316
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shell-customshellhost_31bf3856ad364e35_10.0.19041.4474_none_fd486fd4544269fb\CustomShellHost.exe" /grant "everyone":(f)
      4⤵
      PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shell-customshellhost_31bf3856ad364e35_10.0.19041.4474_none_fd486fd4544269fb\n\CustomShellHost.exe"
    3⤵
    PID:1860
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shell-customshellhost_31bf3856ad364e35_10.0.19041.4474_none_fd486fd4544269fb\n\CustomShellHost.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4172
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shell-customshellhost_31bf3856ad364e35_10.0.19041.4474_none_fd486fd4544269fb\n\CustomShellHost.exe" /grant "everyone":(f)
      4⤵
      PID:1940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shell-oneoffs-em_31bf3856ad364e35_10.0.19041.4355_none_666d6508fc334819\EM.exe"
    3⤵
    PID:1840
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shell-oneoffs-em_31bf3856ad364e35_10.0.19041.4355_none_666d6508fc334819\EM.exe"
      4⤵
      PID:4660
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shell-oneoffs-em_31bf3856ad364e35_10.0.19041.4355_none_666d6508fc334819\EM.exe" /grant "everyone":(f)
      4⤵
      PID:2276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shell-oneoffs-em_31bf3856ad364e35_10.0.19041.4355_none_666d6508fc334819\n\EM.exe"
    3⤵
    PID:4816
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shell-oneoffs-em_31bf3856ad364e35_10.0.19041.4355_none_666d6508fc334819\n\EM.exe"
      4⤵
      PID:1056
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shell-oneoffs-em_31bf3856ad364e35_10.0.19041.4355_none_666d6508fc334819\n\EM.exe" /grant "everyone":(f)
      4⤵
      PID:764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shell-oobe-maintenance_31bf3856ad364e35_10.0.19041.4355_none_ded90f1a0a65795b\n\OOBE-Maintenance.exe"
    3⤵
    PID:644
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shell-oobe-maintenance_31bf3856ad364e35_10.0.19041.4355_none_ded90f1a0a65795b\n\OOBE-Maintenance.exe"
      4⤵
      PID:3572
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shell-oobe-maintenance_31bf3856ad364e35_10.0.19041.4355_none_ded90f1a0a65795b\n\OOBE-Maintenance.exe" /grant "everyone":(f)
      4⤵
      PID:892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shell-oobe-maintenance_31bf3856ad364e35_10.0.19041.4355_none_ded90f1a0a65795b\OOBE-Maintenance.exe"
    3⤵
    PID:576
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shell-oobe-maintenance_31bf3856ad364e35_10.0.19041.4355_none_ded90f1a0a65795b\OOBE-Maintenance.exe"
      4⤵
      PID:4224
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shell-oobe-maintenance_31bf3856ad364e35_10.0.19041.4355_none_ded90f1a0a65795b\OOBE-Maintenance.exe" /grant "everyone":(f)
      4⤵
      PID:4028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.4355_none_b7f784ecb618dc76\f\prevhost.exe"
    3⤵
    PID:3120
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.4355_none_b7f784ecb618dc76\f\prevhost.exe"
      4⤵
      PID:1992
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.4355_none_b7f784ecb618dc76\f\prevhost.exe" /grant "everyone":(f)
      4⤵
      PID:1132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.4355_none_b7f784ecb618dc76\prevhost.exe"
    3⤵
    PID:4656
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.4355_none_b7f784ecb618dc76\prevhost.exe"
      4⤵
      PID:1552
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.4355_none_b7f784ecb618dc76\prevhost.exe" /grant "everyone":(f)
      4⤵
      PID:3756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.4355_none_b7f784ecb618dc76\r\prevhost.exe"
    3⤵
    PID:3984
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.4355_none_b7f784ecb618dc76\r\prevhost.exe"
      4⤵
      PID:1972
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.4355_none_b7f784ecb618dc76\r\prevhost.exe" /grant "everyone":(f)
      4⤵
      PID:4848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2136afef5fadeaa4\f\prevhost.exe"
    3⤵
    PID:1808
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2136afef5fadeaa4\f\prevhost.exe"
      4⤵
      PID:1292
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2136afef5fadeaa4\f\prevhost.exe" /grant "everyone":(f)
      4⤵
      PID:2044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2136afef5fadeaa4\prevhost.exe"
    3⤵
    PID:4740
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2136afef5fadeaa4\prevhost.exe"
      4⤵
      PID:1756
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2136afef5fadeaa4\prevhost.exe" /grant "everyone":(f)
      4⤵
      PID:2116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2136afef5fadeaa4\r\prevhost.exe"
    3⤵
    PID:3032
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2136afef5fadeaa4\r\prevhost.exe"
      4⤵
      PID:3532
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2136afef5fadeaa4\r\prevhost.exe" /grant "everyone":(f)
      4⤵
      PID:272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shell-shellappruntime_31bf3856ad364e35_10.0.19041.4474_none_875e2eb4b0787675\n\ShellAppRuntime.exe"
    3⤵
    PID:4644
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shell-shellappruntime_31bf3856ad364e35_10.0.19041.4474_none_875e2eb4b0787675\n\ShellAppRuntime.exe"
      4⤵
      PID:3632
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shell-shellappruntime_31bf3856ad364e35_10.0.19041.4474_none_875e2eb4b0787675\n\ShellAppRuntime.exe" /grant "everyone":(f)
      4⤵
      PID:5104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shell-shellappruntime_31bf3856ad364e35_10.0.19041.4474_none_875e2eb4b0787675\ShellAppRuntime.exe"
    3⤵
    PID:3024
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shell-shellappruntime_31bf3856ad364e35_10.0.19041.4474_none_875e2eb4b0787675\ShellAppRuntime.exe"
      4⤵
      Possible privilege escalation attempt
      PID:3252
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shell-shellappruntime_31bf3856ad364e35_10.0.19041.4474_none_875e2eb4b0787675\ShellAppRuntime.exe" /grant "everyone":(f)
      4⤵
      PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.4355_none_8b325cf5d836a14f\f\sihost.exe"
    3⤵
    PID:4248
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.4355_none_8b325cf5d836a14f\f\sihost.exe"
      4⤵
      PID:2916
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.4355_none_8b325cf5d836a14f\f\sihost.exe" /grant "everyone":(f)
      4⤵
      PID:1388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.4355_none_8b325cf5d836a14f\r\sihost.exe"
    3⤵
    PID:420
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.4355_none_8b325cf5d836a14f\r\sihost.exe"
      4⤵
      PID:1720
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.4355_none_8b325cf5d836a14f\r\sihost.exe" /grant "everyone":(f)
      4⤵
      PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.4355_none_8b325cf5d836a14f\sihost.exe"
    3⤵
    PID:4092
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.4355_none_8b325cf5d836a14f\sihost.exe"
      4⤵
      PID:1860
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.4355_none_8b325cf5d836a14f\sihost.exe" /grant "everyone":(f)
      4⤵
      PID:4132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.746_none_f47187f881cbaf7d\f\sihost.exe"
    3⤵
    PID:4660
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.746_none_f47187f881cbaf7d\f\sihost.exe"
      4⤵
      PID:4720
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.746_none_f47187f881cbaf7d\f\sihost.exe" /grant "everyone":(f)
      4⤵
      PID:4480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.746_none_f47187f881cbaf7d\r\sihost.exe"
    3⤵
    PID:404
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.746_none_f47187f881cbaf7d\r\sihost.exe"
      4⤵
      PID:2024
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.746_none_f47187f881cbaf7d\r\sihost.exe" /grant "everyone":(f)
      4⤵
      PID:4460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.746_none_f47187f881cbaf7d\sihost.exe"
    3⤵
    PID:3572
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.746_none_f47187f881cbaf7d\sihost.exe"
      4⤵
      PID:1684
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.746_none_f47187f881cbaf7d\sihost.exe" /grant "everyone":(f)
      4⤵
      PID:4468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-shutdown-event-tracker_31bf3856ad364e35_10.0.19041.1_none_b8c5253467557e69\shutdown.exe"
    3⤵
    PID:4100
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-shutdown-event-tracker_31bf3856ad364e35_10.0.19041.1_none_b8c5253467557e69\shutdown.exe"
      4⤵
      PID:5012
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-shutdown-event-tracker_31bf3856ad364e35_10.0.19041.1_none_b8c5253467557e69\shutdown.exe" /grant "everyone":(f)
      4⤵
      PID:2432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sigverif_31bf3856ad364e35_10.0.19041.1_none_718a91e09abc2926\sigverif.exe"
    3⤵
    PID:1564
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sigverif_31bf3856ad364e35_10.0.19041.1_none_718a91e09abc2926\sigverif.exe"
      4⤵
      PID:1304
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sigverif_31bf3856ad364e35_10.0.19041.1_none_718a91e09abc2926\sigverif.exe" /grant "everyone":(f)
      4⤵
      PID:5072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-slidetoshutdown_31bf3856ad364e35_10.0.19041.1_none_4a1699e73b1ad297\SlideToShutDown.exe"
    3⤵
    PID:4408
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-slidetoshutdown_31bf3856ad364e35_10.0.19041.1_none_4a1699e73b1ad297\SlideToShutDown.exe"
      4⤵
      PID:2864
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-slidetoshutdown_31bf3856ad364e35_10.0.19041.1_none_4a1699e73b1ad297\SlideToShutDown.exe" /grant "everyone":(f)
      4⤵
      PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.1052_none_323c9a9ad543e3a3\f\smartscreen.exe"
    3⤵
    PID:4372
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.1052_none_323c9a9ad543e3a3\f\smartscreen.exe"
      4⤵
      PID:4732
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.1052_none_323c9a9ad543e3a3\f\smartscreen.exe" /grant "everyone":(f)
      4⤵
      PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.1052_none_323c9a9ad543e3a3\r\smartscreen.exe"
    3⤵
    PID:900
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.1052_none_323c9a9ad543e3a3\r\smartscreen.exe"
      4⤵
      PID:4388
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.1052_none_323c9a9ad543e3a3\r\smartscreen.exe" /grant "everyone":(f)
      4⤵
      PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.1052_none_323c9a9ad543e3a3\smartscreen.exe"
    3⤵
    PID:1988
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.1052_none_323c9a9ad543e3a3\smartscreen.exe"
      4⤵
      PID:1764
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.1052_none_323c9a9ad543e3a3\smartscreen.exe" /grant "everyone":(f)
      4⤵
      PID:4828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.4474_none_321333a0d562b0cc\f\smartscreen.exe"
    3⤵
    PID:1280
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.4474_none_321333a0d562b0cc\f\smartscreen.exe"
      4⤵
      PID:60
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.4474_none_321333a0d562b0cc\f\smartscreen.exe" /grant "everyone":(f)
      4⤵
      PID:3488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.4474_none_321333a0d562b0cc\r\smartscreen.exe"
    3⤵
    PID:3832
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.4474_none_321333a0d562b0cc\r\smartscreen.exe"
      4⤵
      PID:3440
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.4474_none_321333a0d562b0cc\r\smartscreen.exe" /grant "everyone":(f)
      4⤵
      PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.4474_none_321333a0d562b0cc\smartscreen.exe"
    3⤵
    PID:3252
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.4474_none_321333a0d562b0cc\smartscreen.exe"
      4⤵
      PID:3024
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-smartscreen_31bf3856ad364e35_10.0.19041.4474_none_321333a0d562b0cc\smartscreen.exe" /grant "everyone":(f)
      4⤵
      PID:4024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.3636_none_f2f86d069e1fe195\f\smss.exe"
    3⤵
    PID:4776
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.3636_none_f2f86d069e1fe195\f\smss.exe"
      4⤵
      PID:2908
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.3636_none_f2f86d069e1fe195\f\smss.exe" /grant "everyone":(f)
      4⤵
      PID:3124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.3636_none_f2f86d069e1fe195\r\smss.exe"
    3⤵
    PID:4784
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.3636_none_f2f86d069e1fe195\r\smss.exe"
      4⤵
      PID:1816
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.3636_none_f2f86d069e1fe195\r\smss.exe" /grant "everyone":(f)
      4⤵
      PID:3436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.3636_none_f2f86d069e1fe195\smss.exe"
    3⤵
    PID:708
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.3636_none_f2f86d069e1fe195\smss.exe"
      4⤵
      PID:4092
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.3636_none_f2f86d069e1fe195\smss.exe" /grant "everyone":(f)
      4⤵
      PID:2276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.964_none_5c42846f47acb1a6\f\smss.exe"
    3⤵
    PID:4424
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.964_none_5c42846f47acb1a6\f\smss.exe"
      4⤵
      PID:4660
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.964_none_5c42846f47acb1a6\f\smss.exe" /grant "everyone":(f)
      4⤵
      PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.964_none_5c42846f47acb1a6\r\smss.exe"
    3⤵
    PID:1644
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.964_none_5c42846f47acb1a6\r\smss.exe"
      4⤵
      PID:2080
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.964_none_5c42846f47acb1a6\r\smss.exe" /grant "everyone":(f)
      4⤵
      PID:4108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.964_none_5c42846f47acb1a6\smss.exe"
    3⤵
    PID:652
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.964_none_5c42846f47acb1a6\smss.exe"
      4⤵
      PID:4580
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-smss-minwin_31bf3856ad364e35_10.0.19041.964_none_5c42846f47acb1a6\smss.exe" /grant "everyone":(f)
      4⤵
      PID:4552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.4355_none_0e7e21f93edd2a79\f\SnippingTool.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:5012
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.4355_none_0e7e21f93edd2a79\f\SnippingTool.exe"
      4⤵
      PID:1192
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.4355_none_0e7e21f93edd2a79\f\SnippingTool.exe" /grant "everyone":(f)
      4⤵
      PID:4788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.4355_none_0e7e21f93edd2a79\r\SnippingTool.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1304
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.4355_none_0e7e21f93edd2a79\r\SnippingTool.exe"
      4⤵
      PID:2028
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.4355_none_0e7e21f93edd2a79\r\SnippingTool.exe" /grant "everyone":(f)
      4⤵
      PID:4128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.4355_none_0e7e21f93edd2a79\SnippingTool.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1972
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4656
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.4355_none_0e7e21f93edd2a79\SnippingTool.exe"
      4⤵
      PID:1692
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.4355_none_0e7e21f93edd2a79\SnippingTool.exe" /grant "everyone":(f)
      4⤵
      PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.746_none_77bd4cfbe87238a7\f\SnippingTool.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2096
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.746_none_77bd4cfbe87238a7\f\SnippingTool.exe"
      4⤵
      PID:4900
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.746_none_77bd4cfbe87238a7\f\SnippingTool.exe" /grant "everyone":(f)
      4⤵
      PID:4624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.746_none_77bd4cfbe87238a7\r\SnippingTool.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3996
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.746_none_77bd4cfbe87238a7\r\SnippingTool.exe"
      4⤵
      PID:2044
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.746_none_77bd4cfbe87238a7\r\SnippingTool.exe" /grant "everyone":(f)
      4⤵
      PID:3492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.746_none_77bd4cfbe87238a7\SnippingTool.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3008
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.746_none_77bd4cfbe87238a7\SnippingTool.exe"
      4⤵
      PID:2116
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.746_none_77bd4cfbe87238a7\SnippingTool.exe" /grant "everyone":(f)
      4⤵
      PID:1116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-snmp-trap-service_31bf3856ad364e35_10.0.19041.1_none_857c0c60dec56103\snmptrap.exe"
    3⤵
    PID:3116
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-snmp-trap-service_31bf3856ad364e35_10.0.19041.1_none_857c0c60dec56103\snmptrap.exe"
      4⤵
      PID:4696
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-snmp-trap-service_31bf3856ad364e35_10.0.19041.1_none_857c0c60dec56103\snmptrap.exe" /grant "everyone":(f)
      4⤵
      PID:3632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sort_31bf3856ad364e35_10.0.19041.1_none_61af30d6b8e070e1\sort.exe"
    3⤵
    PID:3908
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sort_31bf3856ad364e35_10.0.19041.1_none_61af30d6b8e070e1\sort.exe"
      4⤵
      PID:3256
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sort_31bf3856ad364e35_10.0.19041.1_none_61af30d6b8e070e1\sort.exe" /grant "everyone":(f)
      4⤵
      Possible privilege escalation attempt
      PID:2992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.1151_none_f0b5afbf42eaff75\f\Spectrum.exe"
    3⤵
    PID:2828
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.1151_none_f0b5afbf42eaff75\f\Spectrum.exe"
      4⤵
      PID:2892
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.1151_none_f0b5afbf42eaff75\f\Spectrum.exe" /grant "everyone":(f)
      4⤵
      PID:4348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.1151_none_f0b5afbf42eaff75\r\Spectrum.exe"
    3⤵
    PID:3124
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.1151_none_f0b5afbf42eaff75\r\Spectrum.exe"
      4⤵
      PID:4396
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.1151_none_f0b5afbf42eaff75\r\Spectrum.exe" /grant "everyone":(f)
      4⤵
      PID:824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.1151_none_f0b5afbf42eaff75\Spectrum.exe"
    3⤵
    PID:1916
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.1151_none_f0b5afbf42eaff75\Spectrum.exe"
      4⤵
      PID:3536
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.1151_none_f0b5afbf42eaff75\Spectrum.exe" /grant "everyone":(f)
      4⤵
      PID:1100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.4522_none_f0875e1b430e344a\f\Spectrum.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3892
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.4522_none_f0875e1b430e344a\f\Spectrum.exe"
      4⤵
      PID:4836
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.4522_none_f0875e1b430e344a\f\Spectrum.exe" /grant "everyone":(f)
      4⤵
      PID:4720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.4522_none_f0875e1b430e344a\r\Spectrum.exe"
    3⤵
    PID:2476
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.4522_none_f0875e1b430e344a\r\Spectrum.exe"
      4⤵
      PID:3036
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.4522_none_f0875e1b430e344a\r\Spectrum.exe" /grant "everyone":(f)
      4⤵
      PID:404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.4522_none_f0875e1b430e344a\Spectrum.exe"
    3⤵
    PID:956
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.4522_none_f0875e1b430e344a\Spectrum.exe"
      4⤵
      PID:3132
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-spectrum_31bf3856ad364e35_10.0.19041.4522_none_f0875e1b430e344a\Spectrum.exe" /grant "everyone":(f)
      4⤵
      PID:1612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-speech-userexperience_31bf3856ad364e35_10.0.19041.4355_none_90c40fd50106d653\SpeechUXWiz.exe"
    3⤵
    PID:4296
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-speech-userexperience_31bf3856ad364e35_10.0.19041.4355_none_90c40fd50106d653\SpeechUXWiz.exe"
      4⤵
      PID:644
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-speech-userexperience_31bf3856ad364e35_10.0.19041.4355_none_90c40fd50106d653\SpeechUXWiz.exe" /grant "everyone":(f)
      4⤵
      PID:3048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-speech-userexperience_31bf3856ad364e35_10.0.19041.746_none_fa033ad7aa9be481\SpeechUXWiz.exe"
    3⤵
    PID:4224
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-speech-userexperience_31bf3856ad364e35_10.0.19041.746_none_fa033ad7aa9be481\SpeechUXWiz.exe"
      4⤵
      PID:4516
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-speech-userexperience_31bf3856ad364e35_10.0.19041.746_none_fa033ad7aa9be481\SpeechUXWiz.exe" /grant "everyone":(f)
      4⤵
      PID:4284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_e836fc4ed2e2ecc1\f\SpeechModelDownload.exe"
    3⤵
    PID:5072
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_e836fc4ed2e2ecc1\f\SpeechModelDownload.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:348
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_e836fc4ed2e2ecc1\f\SpeechModelDownload.exe" /grant "everyone":(f)
      4⤵
      PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_e836fc4ed2e2ecc1\r\SpeechModelDownload.exe"
    3⤵
    PID:2028
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_e836fc4ed2e2ecc1\r\SpeechModelDownload.exe"
      4⤵
      PID:4408
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_e836fc4ed2e2ecc1\r\SpeechModelDownload.exe" /grant "everyone":(f)
      4⤵
      PID:3756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_e836fc4ed2e2ecc1\SpeechModelDownload.exe"
    3⤵
    PID:4536
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_e836fc4ed2e2ecc1\SpeechModelDownload.exe"
      4⤵
      PID:1016
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.1081_none_e836fc4ed2e2ecc1\SpeechModelDownload.exe" /grant "everyone":(f)
      4⤵
      PID:3984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.4529_none_e7fa3a68d311a4e9\f\SpeechModelDownload.exe"
    3⤵
    PID:3800
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.4529_none_e7fa3a68d311a4e9\f\SpeechModelDownload.exe"
      4⤵
      PID:8
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.4529_none_e7fa3a68d311a4e9\f\SpeechModelDownload.exe" /grant "everyone":(f)
      4⤵
      PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.4529_none_e7fa3a68d311a4e9\r\SpeechModelDownload.exe"
    3⤵
    PID:2492
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.4529_none_e7fa3a68d311a4e9\r\SpeechModelDownload.exe"
      4⤵
      PID:4136
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.4529_none_e7fa3a68d311a4e9\r\SpeechModelDownload.exe" /grant "everyone":(f)
      4⤵
      PID:4740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.4529_none_e7fa3a68d311a4e9\SpeechModelDownload.exe"
    3⤵
    PID:3596
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.4529_none_e7fa3a68d311a4e9\SpeechModelDownload.exe"
      4⤵
      PID:272
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommon-onecore_31bf3856ad364e35_10.0.19041.4529_none_e7fa3a68d311a4e9\SpeechModelDownload.exe" /grant "everyone":(f)
      4⤵
      PID:756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommonnoia64_31bf3856ad364e35_10.0.19041.1_none_b89a948362edb3e7\sapisvr.exe"
    3⤵
    PID:724
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommonnoia64_31bf3856ad364e35_10.0.19041.1_none_b89a948362edb3e7\sapisvr.exe"
      4⤵
      PID:1628
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-speechcommonnoia64_31bf3856ad364e35_10.0.19041.1_none_b89a948362edb3e7\sapisvr.exe" /grant "everyone":(f)
      4⤵
      PID:1996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-spelling-host.binaries_31bf3856ad364e35_10.0.19041.3636_none_81cb2921977b3bb6\f\MsSpellCheckingHost.exe"
    3⤵
    PID:4248
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-spelling-host.binaries_31bf3856ad364e35_10.0.19041.3636_none_81cb2921977b3bb6\f\MsSpellCheckingHost.exe"
      4⤵
      Possible privilege escalation attempt
      PID:1960
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-spelling-host.binaries_31bf3856ad364e35_10.0.19041.3636_none_81cb2921977b3bb6\f\MsSpellCheckingHost.exe" /grant "everyone":(f)
      4⤵
      PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-spelling-host.binaries_31bf3856ad364e35_10.0.19041.3636_none_81cb2921977b3bb6\MsSpellCheckingHost.exe"
    3⤵
    PID:4636
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-spelling-host.binaries_31bf3856ad364e35_10.0.19041.3636_none_81cb2921977b3bb6\MsSpellCheckingHost.exe"
      4⤵
      PID:3244
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-spelling-host.binaries_31bf3856ad364e35_10.0.19041.3636_none_81cb2921977b3bb6\MsSpellCheckingHost.exe" /grant "everyone":(f)
      4⤵
      System Location Discovery: System Language Discovery
      PID:1828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-spelling-host.binaries_31bf3856ad364e35_10.0.19041.3636_none_81cb2921977b3bb6\r\MsSpellCheckingHost.exe"
    3⤵
    PID:3960
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-spelling-host.binaries_31bf3856ad364e35_10.0.19041.3636_none_81cb2921977b3bb6\r\MsSpellCheckingHost.exe"
      4⤵
      PID:2220
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-spelling-host.binaries_31bf3856ad364e35_10.0.19041.3636_none_81cb2921977b3bb6\r\MsSpellCheckingHost.exe" /grant "everyone":(f)
      4⤵
      PID:4784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-spelling-host.binaries_31bf3856ad364e35_10.0.19041.746_none_eb2cdd2a40f60c45\f\MsSpellCheckingHost.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4472
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-spelling-host.binaries_31bf3856ad364e35_10.0.19041.746_none_eb2cdd2a40f60c45\f\MsSpellCheckingHost.exe"
      4⤵
      PID:5016
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-spelling-host.binaries_31bf3856ad364e35_10.0.19041.746_none_eb2cdd2a40f60c45\f\MsSpellCheckingHost.exe" /grant "everyone":(f)
      4⤵
      PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-spelling-host.binaries_31bf3856ad364e35_10.0.19041.746_none_eb2cdd2a40f60c45\MsSpellCheckingHost.exe"
    3⤵
    PID:3372
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-spelling-host.binaries_31bf3856ad364e35_10.0.19041.746_none_eb2cdd2a40f60c45\MsSpellCheckingHost.exe"
      4⤵
      PID:4752
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-spelling-host.binaries_31bf3856ad364e35_10.0.19041.746_none_eb2cdd2a40f60c45\MsSpellCheckingHost.exe" /grant "everyone":(f)
      4⤵
      PID:4300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-spelling-host.binaries_31bf3856ad364e35_10.0.19041.746_none_eb2cdd2a40f60c45\r\MsSpellCheckingHost.exe"
    3⤵
    PID:2052
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-spelling-host.binaries_31bf3856ad364e35_10.0.19041.746_none_eb2cdd2a40f60c45\r\MsSpellCheckingHost.exe"
      4⤵
      PID:4564
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-spelling-host.binaries_31bf3856ad364e35_10.0.19041.746_none_eb2cdd2a40f60c45\r\MsSpellCheckingHost.exe" /grant "everyone":(f)
      4⤵
      PID:4816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_10.0.19041.1081_none_491d51c316b5ea8f\f\wsqmcons.exe"
    3⤵
    PID:4552
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_10.0.19041.1081_none_491d51c316b5ea8f\f\wsqmcons.exe"
      4⤵
      PID:1492
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_10.0.19041.1081_none_491d51c316b5ea8f\f\wsqmcons.exe" /grant "everyone":(f)
      4⤵
      PID:3432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_10.0.19041.1081_none_491d51c316b5ea8f\r\wsqmcons.exe"
    3⤵
    PID:4516
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_10.0.19041.1081_none_491d51c316b5ea8f\r\wsqmcons.exe"
      4⤵
      PID:3160
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_10.0.19041.1081_none_491d51c316b5ea8f\r\wsqmcons.exe" /grant "everyone":(f)
      4⤵
      PID:1564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_10.0.19041.1081_none_491d51c316b5ea8f\wsqmcons.exe"
    3⤵
    PID:1304
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_10.0.19041.1081_none_491d51c316b5ea8f\wsqmcons.exe"
      4⤵
      Modifies file permissions
      PID:1804
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_10.0.19041.1081_none_491d51c316b5ea8f\wsqmcons.exe" /grant "everyone":(f)
      4⤵
      PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_10.0.19041.4355_none_48f98bb316d15056\f\wsqmcons.exe"
    3⤵
    PID:1920
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_10.0.19041.4355_none_48f98bb316d15056\f\wsqmcons.exe"
      4⤵
      PID:1692
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_10.0.19041.4355_none_48f98bb316d15056\f\wsqmcons.exe" /grant "everyone":(f)
      4⤵
      PID:3080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_10.0.19041.4355_none_48f98bb316d15056\r\wsqmcons.exe"
    3⤵
    PID:4508
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_10.0.19041.4355_none_48f98bb316d15056\r\wsqmcons.exe"
      4⤵
      PID:4900
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_10.0.19041.4355_none_48f98bb316d15056\r\wsqmcons.exe" /grant "everyone":(f)
      4⤵
      PID:4156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_10.0.19041.4355_none_48f98bb316d15056\wsqmcons.exe"
    3⤵
    PID:4312
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_10.0.19041.4355_none_48f98bb316d15056\wsqmcons.exe"
      4⤵
      PID:3532
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_10.0.19041.4355_none_48f98bb316d15056\wsqmcons.exe" /grant "everyone":(f)
      4⤵
      PID:1924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-srdelayed_31bf3856ad364e35_10.0.19041.1_none_0c4e6556fb852148\srdelayed.exe"
    3⤵
    PID:1764
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-srdelayed_31bf3856ad364e35_10.0.19041.1_none_0c4e6556fb852148\srdelayed.exe"
      4⤵
      PID:4196
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-srdelayed_31bf3856ad364e35_10.0.19041.1_none_0c4e6556fb852148\srdelayed.exe" /grant "everyone":(f)
      4⤵
      PID:860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.1202_none_05856bbd8f935e6b\DataStoreCacheDumpTool.exe"
    3⤵
    PID:60
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.1202_none_05856bbd8f935e6b\DataStoreCacheDumpTool.exe"
      4⤵
      PID:4696
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.1202_none_05856bbd8f935e6b\DataStoreCacheDumpTool.exe" /grant "everyone":(f)
      4⤵
      PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.1202_none_05856bbd8f935e6b\f\DataStoreCacheDumpTool.exe"
    3⤵
    PID:3528
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.1202_none_05856bbd8f935e6b\f\DataStoreCacheDumpTool.exe"
      4⤵
      PID:3024
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.1202_none_05856bbd8f935e6b\f\DataStoreCacheDumpTool.exe" /grant "everyone":(f)
      4⤵
      PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.1202_none_05856bbd8f935e6b\r\DataStoreCacheDumpTool.exe"
    3⤵
    PID:1960
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.1202_none_05856bbd8f935e6b\r\DataStoreCacheDumpTool.exe"
      4⤵
      PID:3212
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.1202_none_05856bbd8f935e6b\r\DataStoreCacheDumpTool.exe" /grant "everyone":(f)
      4⤵
      System Location Discovery: System Language Discovery
      PID:1316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.4474_none_0576a60d8f9d7265\DataStoreCacheDumpTool.exe"
    3⤵
    PID:3244
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.4474_none_0576a60d8f9d7265\DataStoreCacheDumpTool.exe"
      4⤵
      PID:4172
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.4474_none_0576a60d8f9d7265\DataStoreCacheDumpTool.exe" /grant "everyone":(f)
      4⤵
      PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.4474_none_0576a60d8f9d7265\f\DataStoreCacheDumpTool.exe"
    3⤵
    PID:2220
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.4474_none_0576a60d8f9d7265\f\DataStoreCacheDumpTool.exe"
      4⤵
      PID:4092
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.4474_none_0576a60d8f9d7265\f\DataStoreCacheDumpTool.exe" /grant "everyone":(f)
      4⤵
      PID:4480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.4474_none_0576a60d8f9d7265\r\DataStoreCacheDumpTool.exe"
    3⤵
    PID:4836
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.4474_none_0576a60d8f9d7265\r\DataStoreCacheDumpTool.exe"
      4⤵
      PID:4472
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.4474_none_0576a60d8f9d7265\r\DataStoreCacheDumpTool.exe" /grant "everyone":(f)
      4⤵
      PID:4660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-storage-diagnostics_31bf3856ad364e35_10.0.19041.1_none_2aa26221a7a3d549\stordiag.exe"
    3⤵
    PID:524
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-storage-diagnostics_31bf3856ad364e35_10.0.19041.1_none_2aa26221a7a3d549\stordiag.exe"
      4⤵
      PID:1056
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-storage-diagnostics_31bf3856ad364e35_10.0.19041.1_none_2aa26221a7a3d549\stordiag.exe" /grant "everyone":(f)
      4⤵
      PID:956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.4355_none_2306bbe60cddf1d1\f\sxstrace.exe"
    3⤵
    PID:4564
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.4355_none_2306bbe60cddf1d1\f\sxstrace.exe"
      4⤵
      PID:4108
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.4355_none_2306bbe60cddf1d1\f\sxstrace.exe" /grant "everyone":(f)
      4⤵
      PID:2432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.4355_none_2306bbe60cddf1d1\r\sxstrace.exe"
    3⤵
    PID:1492
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.4355_none_2306bbe60cddf1d1\r\sxstrace.exe"
      4⤵
      PID:4552
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.4355_none_2306bbe60cddf1d1\r\sxstrace.exe" /grant "everyone":(f)
      4⤵
      Possible privilege escalation attempt
      PID:4284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.4355_none_2306bbe60cddf1d1\sxstrace.exe"
    3⤵
    PID:2392
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.4355_none_2306bbe60cddf1d1\sxstrace.exe"
      4⤵
      PID:4684
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.4355_none_2306bbe60cddf1d1\sxstrace.exe" /grant "everyone":(f)
      4⤵
      PID:3496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.746_none_8c45e6e8b672ffff\f\sxstrace.exe"
    3⤵
    PID:4504
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.746_none_8c45e6e8b672ffff\f\sxstrace.exe"
      4⤵
      PID:1804
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.746_none_8c45e6e8b672ffff\f\sxstrace.exe" /grant "everyone":(f)
      4⤵
      PID:3164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.746_none_8c45e6e8b672ffff\r\sxstrace.exe"
    3⤵
    PID:2488
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.746_none_8c45e6e8b672ffff\r\sxstrace.exe"
      4⤵
      PID:1920
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.746_none_8c45e6e8b672ffff\r\sxstrace.exe" /grant "everyone":(f)
      4⤵
      PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.746_none_8c45e6e8b672ffff\sxstrace.exe"
    3⤵
    PID:5008
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.746_none_8c45e6e8b672ffff\sxstrace.exe"
      4⤵
      PID:3984
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sxs_31bf3856ad364e35_10.0.19041.746_none_8c45e6e8b672ffff\sxstrace.exe" /grant "everyone":(f)
      4⤵
      PID:4528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.3636_none_de18a3dcb1e6db19\f\SyncHost.exe"
    3⤵
    PID:3980
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.3636_none_de18a3dcb1e6db19\f\SyncHost.exe"
      4⤵
      PID:4312
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.3636_none_de18a3dcb1e6db19\f\SyncHost.exe" /grant "everyone":(f)
      4⤵
      PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.3636_none_de18a3dcb1e6db19\r\SyncHost.exe"
    3⤵
    PID:2868
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.3636_none_de18a3dcb1e6db19\r\SyncHost.exe"
      4⤵
      PID:1764
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.3636_none_de18a3dcb1e6db19\r\SyncHost.exe" /grant "everyone":(f)
      4⤵
      PID:4740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.3636_none_de18a3dcb1e6db19\SyncHost.exe"
    3⤵
    PID:4320
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.3636_none_de18a3dcb1e6db19\SyncHost.exe"
      4⤵
      PID:1196
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.3636_none_de18a3dcb1e6db19\SyncHost.exe" /grant "everyone":(f)
      4⤵
      PID:756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_477a57e55b61aba8\f\SyncHost.exe"
    3⤵
    PID:3024
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_477a57e55b61aba8\f\SyncHost.exe"
      4⤵
      PID:1628
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_477a57e55b61aba8\f\SyncHost.exe" /grant "everyone":(f)
      4⤵
      PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_477a57e55b61aba8\r\SyncHost.exe"
    3⤵
    PID:4776
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_477a57e55b61aba8\r\SyncHost.exe"
      4⤵
      Possible privilege escalation attempt
      PID:1172
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_477a57e55b61aba8\r\SyncHost.exe" /grant "everyone":(f)
      4⤵
      PID:2364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_477a57e55b61aba8\SyncHost.exe"
    3⤵
    PID:2516
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_477a57e55b61aba8\SyncHost.exe"
      4⤵
      PID:420
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.746_none_477a57e55b61aba8\SyncHost.exe" /grant "everyone":(f)
      4⤵
      PID:3536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sysinfo_31bf3856ad364e35_10.0.19041.1_none_a545be9e97ec5400\systeminfo.exe"
    3⤵
    PID:3840
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sysinfo_31bf3856ad364e35_10.0.19041.1_none_a545be9e97ec5400\systeminfo.exe"
      4⤵
      PID:4584
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sysinfo_31bf3856ad364e35_10.0.19041.1_none_a545be9e97ec5400\systeminfo.exe" /grant "everyone":(f)
      4⤵
      PID:4720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sysprep_31bf3856ad364e35_10.0.19041.3636_none_64163788adcf5594\f\sysprep.exe"
    3⤵
    PID:2476
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sysprep_31bf3856ad364e35_10.0.19041.3636_none_64163788adcf5594\f\sysprep.exe"
      4⤵
      PID:2924
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sysprep_31bf3856ad364e35_10.0.19041.3636_none_64163788adcf5594\f\sysprep.exe" /grant "everyone":(f)
      4⤵
      PID:2080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sysprep_31bf3856ad364e35_10.0.19041.3636_none_64163788adcf5594\r\sysprep.exe"
    3⤵
    PID:956
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:404
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sysprep_31bf3856ad364e35_10.0.19041.3636_none_64163788adcf5594\r\sysprep.exe"
      4⤵
      PID:4424
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sysprep_31bf3856ad364e35_10.0.19041.3636_none_64163788adcf5594\r\sysprep.exe" /grant "everyone":(f)
      4⤵
      PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sysprep_31bf3856ad364e35_10.0.19041.3636_none_64163788adcf5594\sysprep.exe"
    3⤵
    PID:3572
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sysprep_31bf3856ad364e35_10.0.19041.3636_none_64163788adcf5594\sysprep.exe"
      4⤵
      PID:1644
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sysprep_31bf3856ad364e35_10.0.19041.3636_none_64163788adcf5594\sysprep.exe" /grant "everyone":(f)
      4⤵
      PID:2460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sysprep_31bf3856ad364e35_10.0.19041.746_none_cd77eb91574a2623\f\sysprep.exe"
    3⤵
    PID:1132
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sysprep_31bf3856ad364e35_10.0.19041.746_none_cd77eb91574a2623\f\sysprep.exe"
      4⤵
      PID:3432
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sysprep_31bf3856ad364e35_10.0.19041.746_none_cd77eb91574a2623\f\sysprep.exe" /grant "everyone":(f)
      4⤵
      PID:1992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sysprep_31bf3856ad364e35_10.0.19041.746_none_cd77eb91574a2623\r\sysprep.exe"
    3⤵
    PID:412
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sysprep_31bf3856ad364e35_10.0.19041.746_none_cd77eb91574a2623\r\sysprep.exe"
      4⤵
      PID:4100
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sysprep_31bf3856ad364e35_10.0.19041.746_none_cd77eb91574a2623\r\sysprep.exe" /grant "everyone":(f)
      4⤵
      PID:1304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-sysprep_31bf3856ad364e35_10.0.19041.746_none_cd77eb91574a2623\sysprep.exe"
    3⤵
    PID:620
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-sysprep_31bf3856ad364e35_10.0.19041.746_none_cd77eb91574a2623\sysprep.exe"
      4⤵
      PID:2576
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-sysprep_31bf3856ad364e35_10.0.19041.746_none_cd77eb91574a2623\sysprep.exe" /grant "everyone":(f)
      4⤵
      PID:2976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_4ac6500cab2b2113\SystemPropertiesRemote.exe"
    3⤵
    PID:2044
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_4ac6500cab2b2113\SystemPropertiesRemote.exe"
      4⤵
      PID:1292
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_4ac6500cab2b2113\SystemPropertiesRemote.exe" /grant "everyone":(f)
      4⤵
      PID:4508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\f\ResetEngine.exe"
    3⤵
    PID:2116
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\f\ResetEngine.exe"
      4⤵
      PID:5008
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\f\ResetEngine.exe" /grant "everyone":(f)
      4⤵
      PID:8
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\f\SysResetErr.exe"
    3⤵
    PID:3052
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\f\SysResetErr.exe"
      4⤵
      PID:3980
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\f\SysResetErr.exe" /grant "everyone":(f)
      4⤵
      PID:3084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\f\systemreset.exe"
    3⤵
    PID:3832
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\f\systemreset.exe"
      4⤵
      PID:272
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\f\systemreset.exe" /grant "everyone":(f)
      4⤵
      PID:3936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\r\ResetEngine.exe"
    3⤵
    PID:5104
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\r\ResetEngine.exe"
      4⤵
      PID:4328
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\r\ResetEngine.exe" /grant "everyone":(f)
      4⤵
      PID:4532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\r\SysResetErr.exe"
    3⤵
    PID:2464
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\r\SysResetErr.exe"
      4⤵
      PID:4644
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\r\SysResetErr.exe" /grant "everyone":(f)
      4⤵
      PID:2828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\r\systemreset.exe"
    3⤵
    PID:824
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\r\systemreset.exe"
      4⤵
      PID:2372
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\r\systemreset.exe" /grant "everyone":(f)
      4⤵
      PID:4132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\ResetEngine.exe"
    3⤵
    PID:4636
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\ResetEngine.exe"
      4⤵
      PID:2276
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\ResetEngine.exe" /grant "everyone":(f)
      4⤵
      PID:3436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\SysResetErr.exe"
    3⤵
    PID:4480
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\SysResetErr.exe"
      4⤵
      PID:1980
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\SysResetErr.exe" /grant "everyone":(f)
      4⤵
      PID:764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\systemreset.exe"
    3⤵
    PID:3892
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\systemreset.exe"
      4⤵
      PID:4468
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.1266_none_5fd6523a3130632d\systemreset.exe" /grant "everyone":(f)
      4⤵
      PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\f\ResetEngine.exe"
    3⤵
    PID:4752
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\f\ResetEngine.exe"
      4⤵
      PID:1612
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\f\ResetEngine.exe" /grant "everyone":(f)
      4⤵
      PID:1684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\f\SysResetErr.exe"
    3⤵
    PID:3132
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\f\SysResetErr.exe"
      4⤵
      PID:652
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\f\SysResetErr.exe" /grant "everyone":(f)
      4⤵
      PID:4684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\f\systemreset.exe"
    3⤵
    PID:4524
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\f\systemreset.exe"
      4⤵
      PID:1784
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\f\systemreset.exe" /grant "everyone":(f)
      4⤵
      PID:5072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\r\ResetEngine.exe"
    3⤵
    PID:3560
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\r\ResetEngine.exe"
      4⤵
      PID:1552
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\r\ResetEngine.exe" /grant "everyone":(f)
      4⤵
      PID:3756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\r\SysResetErr.exe"
    3⤵
    PID:1804
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\r\SysResetErr.exe"
      4⤵
      PID:1756
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\r\SysResetErr.exe" /grant "everyone":(f)
      4⤵
      PID:4692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\r\systemreset.exe"
    3⤵
    PID:2864
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2044
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\r\systemreset.exe"
      4⤵
      PID:3008
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\r\systemreset.exe" /grant "everyone":(f)
      4⤵
      PID:4848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\ResetEngine.exe"
    3⤵
    PID:4528
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\ResetEngine.exe"
      4⤵
      PID:4312
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\ResetEngine.exe" /grant "everyone":(f)
      4⤵
      PID:4144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\SysResetErr.exe"
    3⤵
    PID:2472
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\SysResetErr.exe"
      4⤵
      PID:3032
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\SysResetErr.exe" /grant "everyone":(f)
      4⤵
      PID:3936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\systemreset.exe"
    3⤵
    PID:1988
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\systemreset.exe"
      4⤵
      PID:4696
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.4355_none_5fca9e7e3139439b\systemreset.exe" /grant "everyone":(f)
      4⤵
      PID:3212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.4529_none_bb80f3db688c8721\f\rstrui.exe"
    3⤵
    PID:3596
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.4529_none_bb80f3db688c8721\f\rstrui.exe"
      4⤵
      PID:3088
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.4529_none_bb80f3db688c8721\f\rstrui.exe" /grant "everyone":(f)
      4⤵
      PID:1172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.4529_none_bb80f3db688c8721\r\rstrui.exe"
    3⤵
    PID:3256
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.4529_none_bb80f3db688c8721\r\rstrui.exe"
      4⤵
      PID:4248
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.4529_none_bb80f3db688c8721\r\rstrui.exe" /grant "everyone":(f)
      4⤵
      PID:1720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.4529_none_bb80f3db688c8721\rstrui.exe"
    3⤵
    PID:4132
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.4529_none_bb80f3db688c8721\rstrui.exe"
      4⤵
      PID:3708
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.4529_none_bb80f3db688c8721\rstrui.exe" /grant "everyone":(f)
      4⤵
      PID:4472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.746_none_24d91ab4120e42ee\f\rstrui.exe"
    3⤵
    PID:3436
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.746_none_24d91ab4120e42ee\f\rstrui.exe"
      4⤵
      PID:2220
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.746_none_24d91ab4120e42ee\f\rstrui.exe" /grant "everyone":(f)
      4⤵
      PID:2080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.746_none_24d91ab4120e42ee\r\rstrui.exe"
    3⤵
    PID:2924
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.746_none_24d91ab4120e42ee\r\rstrui.exe"
      4⤵
      PID:2476
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.746_none_24d91ab4120e42ee\r\rstrui.exe" /grant "everyone":(f)
      4⤵
      PID:172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.746_none_24d91ab4120e42ee\rstrui.exe"
    3⤵
    PID:3580
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.746_none_24d91ab4120e42ee\rstrui.exe"
      4⤵
      PID:956
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.746_none_24d91ab4120e42ee\rstrui.exe" /grant "everyone":(f)
      4⤵
      PID:1612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-systray_31bf3856ad364e35_10.0.19041.1_none_a9428a56956799d8\systray.exe"
    3⤵
    PID:1684
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-systray_31bf3856ad364e35_10.0.19041.1_none_a9428a56956799d8\systray.exe"
      4⤵
      PID:4424
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-systray_31bf3856ad364e35_10.0.19041.1_none_a9428a56956799d8\systray.exe" /grant "everyone":(f)
      4⤵
      PID:652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..-deployment-package_31bf3856ad364e35_10.0.19041.1_none_14bead3522ecffb2\TFTP.EXE"
    3⤵
    PID:4684
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..-deployment-package_31bf3856ad364e35_10.0.19041.1_none_14bead3522ecffb2\TFTP.EXE"
      4⤵
      PID:3432
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..-deployment-package_31bf3856ad364e35_10.0.19041.1_none_14bead3522ecffb2\TFTP.EXE" /grant "everyone":(f)
      4⤵
      PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.3636_none_a60f419d0da3f3e9\f\TSWbPrxy.exe"
    3⤵
    PID:5012
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.3636_none_a60f419d0da3f3e9\f\TSWbPrxy.exe"
      4⤵
      PID:1332
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.3636_none_a60f419d0da3f3e9\f\TSWbPrxy.exe" /grant "everyone":(f)
      4⤵
      PID:348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.3636_none_a60f419d0da3f3e9\r\TSWbPrxy.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3756
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.3636_none_a60f419d0da3f3e9\r\TSWbPrxy.exe"
      4⤵
      PID:412
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.3636_none_a60f419d0da3f3e9\r\TSWbPrxy.exe" /grant "everyone":(f)
      4⤵
      PID:1224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.3636_none_a60f419d0da3f3e9\TSWbPrxy.exe"
    3⤵
    PID:4692
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.3636_none_a60f419d0da3f3e9\TSWbPrxy.exe"
      4⤵
      PID:3800
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.3636_none_a60f419d0da3f3e9\TSWbPrxy.exe" /grant "everyone":(f)
      4⤵
      PID:4848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.746_none_0f70f5a5b71ec478\f\TSWbPrxy.exe"
    3⤵
    PID:4828
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.746_none_0f70f5a5b71ec478\f\TSWbPrxy.exe"
      4⤵
      PID:2728
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.746_none_0f70f5a5b71ec478\f\TSWbPrxy.exe" /grant "everyone":(f)
      4⤵
      PID:4136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.746_none_0f70f5a5b71ec478\r\TSWbPrxy.exe"
    3⤵
    PID:5008
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.746_none_0f70f5a5b71ec478\r\TSWbPrxy.exe"
      4⤵
      PID:3032
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.746_none_0f70f5a5b71ec478\r\TSWbPrxy.exe" /grant "everyone":(f)
      4⤵
      PID:4196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.746_none_0f70f5a5b71ec478\TSWbPrxy.exe"
    3⤵
    PID:3980
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.746_none_0f70f5a5b71ec478\TSWbPrxy.exe"
      4⤵
      PID:1628
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_10.0.19041.746_none_0f70f5a5b71ec478\TSWbPrxy.exe" /grant "everyone":(f)
      4⤵
      PID:4328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.1151_none_0412565dd5f26733\f\wkspbroker.exe"
    3⤵
    PID:2868
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.1151_none_0412565dd5f26733\f\wkspbroker.exe"
      4⤵
      PID:4172
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.1151_none_0412565dd5f26733\f\wkspbroker.exe" /grant "everyone":(f)
      4⤵
      PID:4296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.1151_none_0412565dd5f26733\r\wkspbroker.exe"
    3⤵
    PID:3632
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.1151_none_0412565dd5f26733\r\wkspbroker.exe"
      4⤵
      PID:420
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.1151_none_0412565dd5f26733\r\wkspbroker.exe" /grant "everyone":(f)
      4⤵
      PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.1151_none_0412565dd5f26733\wkspbroker.exe"
    3⤵
    PID:3528
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.1151_none_0412565dd5f26733\wkspbroker.exe"
      4⤵
      PID:4720
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.1151_none_0412565dd5f26733\wkspbroker.exe" /grant "everyone":(f)
      4⤵
      PID:4472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.4355_none_03fc6117d602fd0e\f\wkspbroker.exe"
    3⤵
    PID:1816
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.4355_none_03fc6117d602fd0e\f\wkspbroker.exe"
      4⤵
      PID:1940
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.4355_none_03fc6117d602fd0e\f\wkspbroker.exe" /grant "everyone":(f)
      4⤵
      PID:4396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.4355_none_03fc6117d602fd0e\r\wkspbroker.exe"
    3⤵
    PID:3436
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.4355_none_03fc6117d602fd0e\r\wkspbroker.exe"
      4⤵
      PID:1800
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.4355_none_03fc6117d602fd0e\r\wkspbroker.exe" /grant "everyone":(f)
      4⤵
      PID:172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.4355_none_03fc6117d602fd0e\wkspbroker.exe"
    3⤵
    PID:4480
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.4355_none_03fc6117d602fd0e\wkspbroker.exe"
      4⤵
      PID:1192
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-workspacebroker_31bf3856ad364e35_10.0.19041.4355_none_03fc6117d602fd0e\wkspbroker.exe" /grant "everyone":(f)
      4⤵
      Modifies file permissions
      PID:5016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_10.0.19041.1_none_53219a572fef10a2\ctfmon.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:956
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_10.0.19041.1_none_53219a572fef10a2\ctfmon.exe"
      4⤵
      PID:1284
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_10.0.19041.1_none_53219a572fef10a2\ctfmon.exe" /grant "everyone":(f)
      4⤵
      PID:524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..commandlinetoolsmqq_31bf3856ad364e35_10.0.19041.1_none_df1a7ee54b62a4fd\msg.exe"
    3⤵
    PID:4424
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..commandlinetoolsmqq_31bf3856ad364e35_10.0.19041.1_none_df1a7ee54b62a4fd\msg.exe"
      4⤵
      PID:540
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..commandlinetoolsmqq_31bf3856ad364e35_10.0.19041.1_none_df1a7ee54b62a4fd\msg.exe" /grant "everyone":(f)
      4⤵
      PID:4564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..commandlinetoolsmqq_31bf3856ad364e35_10.0.19041.1_none_df1a7ee54b62a4fd\quser.exe"
    3⤵
    PID:4816
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..commandlinetoolsmqq_31bf3856ad364e35_10.0.19041.1_none_df1a7ee54b62a4fd\quser.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4372
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..commandlinetoolsmqq_31bf3856ad364e35_10.0.19041.1_none_df1a7ee54b62a4fd\quser.exe" /grant "everyone":(f)
      4⤵
      PID:2028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..commandlinetoolsmqq_31bf3856ad364e35_10.0.19041.1_none_df1a7ee54b62a4fd\qwinsta.exe"
    3⤵
    PID:1332
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..commandlinetoolsmqq_31bf3856ad364e35_10.0.19041.1_none_df1a7ee54b62a4fd\qwinsta.exe"
      4⤵
      PID:4028
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..commandlinetoolsmqq_31bf3856ad364e35_10.0.19041.1_none_df1a7ee54b62a4fd\qwinsta.exe" /grant "everyone":(f)
      4⤵
      PID:4536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.4355_none_d91e29d5c32ce5b4\f\ttdinject.exe"
    3⤵
    PID:2648
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.4355_none_d91e29d5c32ce5b4\f\ttdinject.exe"
      4⤵
      PID:3080
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.4355_none_d91e29d5c32ce5b4\f\ttdinject.exe" /grant "everyone":(f)
      4⤵
      PID:3984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.4355_none_d91e29d5c32ce5b4\f\tttracer.exe"
    3⤵
    PID:3588
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.4355_none_d91e29d5c32ce5b4\f\tttracer.exe"
      4⤵
      PID:3532
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.4355_none_d91e29d5c32ce5b4\f\tttracer.exe" /grant "everyone":(f)
      4⤵
      PID:4136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.4355_none_d91e29d5c32ce5b4\r\ttdinject.exe"
    3⤵
    PID:1764
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.4355_none_d91e29d5c32ce5b4\r\ttdinject.exe"
      4⤵
      PID:3936
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.4355_none_d91e29d5c32ce5b4\r\ttdinject.exe" /grant "everyone":(f)
      4⤵
      PID:60
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.4355_none_d91e29d5c32ce5b4\r\tttracer.exe"
    3⤵
    PID:2176
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.4355_none_d91e29d5c32ce5b4\r\tttracer.exe"
      4⤵
      PID:3248
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.4355_none_d91e29d5c32ce5b4\r\tttracer.exe" /grant "everyone":(f)
      4⤵
      PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.4355_none_d91e29d5c32ce5b4\ttdinject.exe"
    3⤵
    PID:3052
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.4355_none_d91e29d5c32ce5b4\ttdinject.exe"
      4⤵
      PID:1280
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.4355_none_d91e29d5c32ce5b4\ttdinject.exe" /grant "everyone":(f)
      4⤵
      PID:3968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.4355_none_d91e29d5c32ce5b4\tttracer.exe"
    3⤵
    PID:4364
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.4355_none_d91e29d5c32ce5b4\tttracer.exe"
      4⤵
      PID:1720
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.4355_none_d91e29d5c32ce5b4\tttracer.exe" /grant "everyone":(f)
      4⤵
      PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_425d54d86cc1f3e2\f\tttracer.exe"
    3⤵
    PID:3596
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_425d54d86cc1f3e2\f\tttracer.exe"
      4⤵
      PID:3708
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_425d54d86cc1f3e2\f\tttracer.exe" /grant "everyone":(f)
      4⤵
      PID:3244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_425d54d86cc1f3e2\r\tttracer.exe"
    3⤵
    PID:2464
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_425d54d86cc1f3e2\r\tttracer.exe"
      4⤵
      PID:2372
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_425d54d86cc1f3e2\r\tttracer.exe" /grant "everyone":(f)
      4⤵
      PID:1400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_425d54d86cc1f3e2\ttdinject.exe"
    3⤵
    PID:2120
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_425d54d86cc1f3e2\ttdinject.exe"
      4⤵
      PID:1388
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_425d54d86cc1f3e2\ttdinject.exe" /grant "everyone":(f)
      4⤵
      PID:1800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_425d54d86cc1f3e2\tttracer.exe"
    3⤵
    PID:172
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_425d54d86cc1f3e2\tttracer.exe"
      4⤵
      PID:2276
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_425d54d86cc1f3e2\tttracer.exe" /grant "everyone":(f)
      4⤵
      PID:3892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\change.exe"
    3⤵
    PID:3664
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\change.exe"
      4⤵
      PID:2924
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\change.exe" /grant "everyone":(f)
      4⤵
      PID:652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\chglogon.exe"
    3⤵
    PID:3036
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\chglogon.exe"
      4⤵
      PID:4468
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\chglogon.exe" /grant "everyone":(f)
      4⤵
      PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\chgport.exe"
    3⤵
    PID:2432
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\chgport.exe"
      4⤵
      PID:1840
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\chgport.exe" /grant "everyone":(f)
      4⤵
      PID:348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\chgusr.exe"
    3⤵
    PID:2028
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\chgusr.exe"
      4⤵
      PID:4684
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\chgusr.exe" /grant "everyone":(f)
      4⤵
      PID:412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\logoff.exe"
    3⤵
    PID:4536
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\logoff.exe"
      4⤵
      PID:1784
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\logoff.exe" /grant "everyone":(f)
      4⤵
      PID:4900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\qappsrv.exe"
    3⤵
    PID:2528
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\qappsrv.exe"
      4⤵
      PID:4224
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\qappsrv.exe" /grant "everyone":(f)
      4⤵
      PID:3116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\qprocess.exe"
    3⤵
    PID:3440
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\qprocess.exe"
      4⤵
      PID:3996
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\qprocess.exe" /grant "everyone":(f)
      4⤵
      PID:2532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\query.exe"
    3⤵
    PID:900
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\query.exe"
      4⤵
      PID:4388
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\query.exe" /grant "everyone":(f)
      4⤵
      PID:3212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\reset.exe"
    3⤵
    PID:4328
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\reset.exe"
      4⤵
      PID:3492
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\reset.exe" /grant "everyone":(f)
      4⤵
      PID:724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\rwinsta.exe"
    3⤵
    PID:4320
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\rwinsta.exe"
      4⤵
      PID:3696
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\rwinsta.exe" /grant "everyone":(f)
      4⤵
      PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\tscon.exe"
    3⤵
    PID:1720
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\tscon.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2492
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\tscon.exe" /grant "everyone":(f)
      4⤵
      PID:4348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\tsdiscon.exe"
    3⤵
    PID:3708
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\tsdiscon.exe"
      4⤵
      PID:4784
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\tsdiscon.exe" /grant "everyone":(f)
      4⤵
      PID:2080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\tskill.exe"
    3⤵
    PID:2372
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\tskill.exe"
      4⤵
      PID:1144
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\tskill.exe" /grant "everyone":(f)
      4⤵
      PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-inputredirection_31bf3856ad364e35_10.0.19041.1_none_ba15c535035058c0\rdpinput.exe"
    3⤵
    PID:4092
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-inputredirection_31bf3856ad364e35_10.0.19041.1_none_ba15c535035058c0\rdpinput.exe"
      4⤵
      PID:1388
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-inputredirection_31bf3856ad364e35_10.0.19041.1_none_ba15c535035058c0\rdpinput.exe" /grant "everyone":(f)
      4⤵
      PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.3636_none_9afcd1809296ada6\f\wksprt.exe"
    3⤵
    PID:3372
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.3636_none_9afcd1809296ada6\f\wksprt.exe"
      4⤵
      PID:4584
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.3636_none_9afcd1809296ada6\f\wksprt.exe" /grant "everyone":(f)
      4⤵
      PID:4660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.3636_none_9afcd1809296ada6\r\wksprt.exe"
    3⤵
    PID:2720
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.3636_none_9afcd1809296ada6\r\wksprt.exe"
      4⤵
      PID:3960
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.3636_none_9afcd1809296ada6\r\wksprt.exe" /grant "everyone":(f)
      4⤵
      PID:708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.3636_none_9afcd1809296ada6\wksprt.exe"
    3⤵
    PID:2644
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.3636_none_9afcd1809296ada6\wksprt.exe"
      4⤵
      PID:3160
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.3636_none_9afcd1809296ada6\wksprt.exe" /grant "everyone":(f)
      4⤵
      PID:4524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.746_none_045e85893c117e35\f\wksprt.exe"
    3⤵
    PID:348
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.746_none_045e85893c117e35\f\wksprt.exe"
      4⤵
      PID:4100
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.746_none_045e85893c117e35\f\wksprt.exe" /grant "everyone":(f)
      4⤵
      PID:3716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.746_none_045e85893c117e35\r\wksprt.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:412
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.746_none_045e85893c117e35\r\wksprt.exe"
      4⤵
      PID:3432
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.746_none_045e85893c117e35\r\wksprt.exe" /grant "everyone":(f)
      4⤵
      PID:4504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.746_none_045e85893c117e35\wksprt.exe"
    3⤵
    PID:4028
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.746_none_045e85893c117e35\wksprt.exe"
      4⤵
      PID:1932
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.746_none_045e85893c117e35\wksprt.exe" /grant "everyone":(f)
      4⤵
      PID:4144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.4355_none_3f5ba2e20625a807\f\mip.exe"
    3⤵
    PID:1552
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.4355_none_3f5ba2e20625a807\f\mip.exe"
      4⤵
      PID:3032
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.4355_none_3f5ba2e20625a807\f\mip.exe" /grant "everyone":(f)
      4⤵
      PID:2532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.4355_none_3f5ba2e20625a807\mip.exe"
    3⤵
    PID:620
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.4355_none_3f5ba2e20625a807\mip.exe"
      4⤵
      PID:1628
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.4355_none_3f5ba2e20625a807\mip.exe" /grant "everyone":(f)
      4⤵
      PID:1116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.4355_none_3f5ba2e20625a807\r\mip.exe"
    3⤵
    PID:1292
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.4355_none_3f5ba2e20625a807\r\mip.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4172
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.4355_none_3f5ba2e20625a807\r\mip.exe" /grant "everyone":(f)
      4⤵
      PID:1172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.746_none_a89acde4afbab635\f\mip.exe"
    3⤵
    PID:2992
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.746_none_a89acde4afbab635\f\mip.exe"
      4⤵
      PID:2488
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.746_none_a89acde4afbab635\f\mip.exe" /grant "everyone":(f)
      4⤵
      PID:3676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.746_none_a89acde4afbab635\mip.exe"
    3⤵
    PID:1996
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4320
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.746_none_a89acde4afbab635\mip.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5104
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.746_none_a89acde4afbab635\mip.exe" /grant "everyone":(f)
      4⤵
      PID:860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.746_none_a89acde4afbab635\r\mip.exe"
    3⤵
    PID:1928
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.746_none_a89acde4afbab635\r\mip.exe"
      4⤵
      PID:756
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.746_none_a89acde4afbab635\r\mip.exe" /grant "everyone":(f)
      4⤵
      PID:1196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\f\rdpinit.exe"
    3⤵
    PID:824
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\f\rdpinit.exe"
      4⤵
      PID:1056
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\f\rdpinit.exe" /grant "everyone":(f)
      4⤵
      PID:3840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\f\rdpshell.exe"
    3⤵
    PID:3256
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\f\rdpshell.exe"
      4⤵
      PID:1940
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\f\rdpshell.exe" /grant "everyone":(f)
      4⤵
      PID:2276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\r\rdpinit.exe"
    3⤵
    PID:4412
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\r\rdpinit.exe"
      4⤵
      PID:1992
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\r\rdpinit.exe" /grant "everyone":(f)
      4⤵
      PID:1284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\r\rdpshell.exe"
    3⤵
    PID:2476
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\r\rdpshell.exe"
      4⤵
      PID:1304
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\r\rdpshell.exe" /grant "everyone":(f)
      4⤵
      PID:4108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\rdpinit.exe"
    3⤵
    PID:4480
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\rdpinit.exe"
      4⤵
      PID:1564
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\rdpinit.exe" /grant "everyone":(f)
      4⤵
      PID:1132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\rdpshell.exe"
    3⤵
    PID:3036
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\rdpshell.exe"
      4⤵
      PID:4408
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\rdpshell.exe" /grant "everyone":(f)
      4⤵
      PID:4684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.4355_none_93954022fb5dc980\f\rdpinit.exe"
    3⤵
    PID:3572
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.4355_none_93954022fb5dc980\f\rdpinit.exe"
      4⤵
      PID:2096
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.4355_none_93954022fb5dc980\f\rdpinit.exe" /grant "everyone":(f)
      4⤵
      PID:4848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.4355_none_93954022fb5dc980\f\rdpshell.exe"
    3⤵
    PID:2028
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:644
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.4355_none_93954022fb5dc980\f\rdpshell.exe"
      4⤵
      PID:188
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.4355_none_93954022fb5dc980\f\rdpshell.exe" /grant "everyone":(f)
      4⤵
      PID:4500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.4355_none_93954022fb5dc980\r\rdpinit.exe"
    3⤵
    PID:4536
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.4355_none_93954022fb5dc980\r\rdpinit.exe"
      4⤵
      PID:4224
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.4355_none_93954022fb5dc980\r\rdpinit.exe" /grant "everyone":(f)
      4⤵
      PID:3800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.4355_none_93954022fb5dc980\r\rdpshell.exe"
    3⤵
    PID:2728
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.4355_none_93954022fb5dc980\r\rdpshell.exe"
      4⤵
      PID:4780
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.4355_none_93954022fb5dc980\r\rdpshell.exe" /grant "everyone":(f)
      4⤵
      PID:3212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.4355_none_93954022fb5dc980\rdpinit.exe"
    3⤵
    PID:2116
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.4355_none_93954022fb5dc980\rdpinit.exe"
      4⤵
      PID:4196
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.4355_none_93954022fb5dc980\rdpinit.exe" /grant "everyone":(f)
      4⤵
      PID:1280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.4355_none_93954022fb5dc980\rdpshell.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2472
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.4355_none_93954022fb5dc980\rdpshell.exe"
      4⤵
      PID:3624
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.4355_none_93954022fb5dc980\rdpshell.exe" /grant "everyone":(f)
      4⤵
      PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.4355_none_7690306cc05c614c\f\rdpclip.exe"
    3⤵
    PID:1924
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.4355_none_7690306cc05c614c\f\rdpclip.exe"
      4⤵
      PID:1524
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.4355_none_7690306cc05c614c\f\rdpclip.exe" /grant "everyone":(f)
      4⤵
      PID:4720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.4355_none_7690306cc05c614c\r\rdpclip.exe"
    3⤵
    PID:860
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.4355_none_7690306cc05c614c\r\rdpclip.exe"
      4⤵
      PID:3052
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.4355_none_7690306cc05c614c\r\rdpclip.exe" /grant "everyone":(f)
      4⤵
      PID:3488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.4355_none_7690306cc05c614c\rdpclip.exe"
    3⤵
    PID:3596
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.4355_none_7690306cc05c614c\rdpclip.exe"
      4⤵
      PID:3244
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.4355_none_7690306cc05c614c\rdpclip.exe" /grant "everyone":(f)
      4⤵
      PID:3528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.746_none_dfcf5b6f69f16f7a\f\rdpclip.exe"
    3⤵
    PID:640
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.746_none_dfcf5b6f69f16f7a\f\rdpclip.exe"
      4⤵
      PID:824
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.746_none_dfcf5b6f69f16f7a\f\rdpclip.exe" /grant "everyone":(f)
      4⤵
      PID:3704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.746_none_dfcf5b6f69f16f7a\r\rdpclip.exe"
    3⤵
    PID:2664
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.746_none_dfcf5b6f69f16f7a\r\rdpclip.exe"
      4⤵
      PID:2908
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.746_none_dfcf5b6f69f16f7a\r\rdpclip.exe" /grant "everyone":(f)
      4⤵
      PID:4584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.746_none_dfcf5b6f69f16f7a\rdpclip.exe"
    3⤵
    PID:2516
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.746_none_dfcf5b6f69f16f7a\rdpclip.exe"
      4⤵
      PID:1960
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.746_none_dfcf5b6f69f16f7a\rdpclip.exe" /grant "everyone":(f)
      4⤵
      PID:1192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.1151_none_aa086da848b2c07b\f\rdpsign.exe"
    3⤵
    PID:708
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.1151_none_aa086da848b2c07b\f\rdpsign.exe"
      4⤵
      PID:1648
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.1151_none_aa086da848b2c07b\f\rdpsign.exe" /grant "everyone":(f)
      4⤵
      PID:2976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.1151_none_aa086da848b2c07b\r\rdpsign.exe"
    3⤵
    PID:1132
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1980
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.1151_none_aa086da848b2c07b\r\rdpsign.exe"
      4⤵
      PID:2720
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.1151_none_aa086da848b2c07b\r\rdpsign.exe" /grant "everyone":(f)
      4⤵
      PID:4508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.1151_none_aa086da848b2c07b\rdpsign.exe"
    3⤵
    PID:4684
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2024
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.1151_none_aa086da848b2c07b\rdpsign.exe"
      4⤵
      PID:2644
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.1151_none_aa086da848b2c07b\rdpsign.exe" /grant "everyone":(f)
      4⤵
      PID:1492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.3636_none_a9cfef5c48dd93f5\f\rdpsign.exe"
    3⤵
    PID:4848
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.3636_none_a9cfef5c48dd93f5\f\rdpsign.exe"
      4⤵
      PID:348
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.3636_none_a9cfef5c48dd93f5\f\rdpsign.exe" /grant "everyone":(f)
      4⤵
      PID:3756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.3636_none_a9cfef5c48dd93f5\r\rdpsign.exe"
    3⤵
    PID:4500
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.3636_none_a9cfef5c48dd93f5\r\rdpsign.exe"
      4⤵
      PID:412
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.3636_none_a9cfef5c48dd93f5\r\rdpsign.exe" /grant "everyone":(f)
      4⤵
      PID:3908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.3636_none_a9cfef5c48dd93f5\rdpsign.exe"
    3⤵
    PID:3080
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.3636_none_a9cfef5c48dd93f5\rdpsign.exe"
      4⤵
      PID:3496
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.3636_none_a9cfef5c48dd93f5\rdpsign.exe" /grant "everyone":(f)
      4⤵
      PID:4388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_c2a2211ad648e627\f\mstsc.exe"
    3⤵
    PID:3440
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_c2a2211ad648e627\f\mstsc.exe"
      4⤵
      PID:3560
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_c2a2211ad648e627\f\mstsc.exe" /grant "everyone":(f)
      4⤵
      PID:4196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_c2a2211ad648e627\mstsc.exe"
    3⤵
    PID:4528
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4156
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_c2a2211ad648e627\mstsc.exe"
      4⤵
      PID:3980
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_c2a2211ad648e627\mstsc.exe" /grant "everyone":(f)
      4⤵
      PID:2868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_c2a2211ad648e627\r\mstsc.exe"
    3⤵
    PID:4348
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_c2a2211ad648e627\r\mstsc.exe"
      4⤵
      PID:5008
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1266_none_c2a2211ad648e627\r\mstsc.exe" /grant "everyone":(f)
      4⤵
      Possible privilege escalation attempt
      PID:3632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.4355_none_c2966d5ed651c695\f\mstsc.exe"
    3⤵
    PID:3052
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.4355_none_c2966d5ed651c695\f\mstsc.exe"
      4⤵
      PID:3968
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.4355_none_c2966d5ed651c695\f\mstsc.exe" /grant "everyone":(f)
      4⤵
      PID:4300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.4355_none_c2966d5ed651c695\mstsc.exe"
    3⤵
    PID:1144
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.4355_none_c2966d5ed651c695\mstsc.exe"
      4⤵
      Modifies file permissions
      PID:756
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.4355_none_c2966d5ed651c695\mstsc.exe" /grant "everyone":(f)
      4⤵
      PID:1388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.4355_none_c2966d5ed651c695\r\mstsc.exe"
    3⤵
    PID:3608
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.4355_none_c2966d5ed651c695\r\mstsc.exe"
      4⤵
      PID:420
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.4355_none_c2966d5ed651c695\r\mstsc.exe" /grant "everyone":(f)
      4⤵
      PID:3256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.4412_none_b457a6037b99d591\f\InputPersonalization.exe"
    3⤵
    PID:4660
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.4412_none_b457a6037b99d591\f\InputPersonalization.exe"
      4⤵
      PID:2276
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.4412_none_b457a6037b99d591\f\InputPersonalization.exe" /grant "everyone":(f)
      4⤵
      PID:1960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.4412_none_b457a6037b99d591\f\ShapeCollector.exe"
    3⤵
    PID:1304
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.4412_none_b457a6037b99d591\f\ShapeCollector.exe"
      4⤵
      PID:2220
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.4412_none_b457a6037b99d591\f\ShapeCollector.exe" /grant "everyone":(f)
      4⤵
      PID:3160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.4412_none_b457a6037b99d591\InputPersonalization.exe"
    3⤵
    PID:4524
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.4412_none_b457a6037b99d591\InputPersonalization.exe"
      4⤵
      PID:4836
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.4412_none_b457a6037b99d591\InputPersonalization.exe" /grant "everyone":(f)
      4⤵
      PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.4412_none_b457a6037b99d591\r\InputPersonalization.exe"
    3⤵
    PID:2396
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3716
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.4412_none_b457a6037b99d591\r\InputPersonalization.exe"
      4⤵
      PID:4480
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.4412_none_b457a6037b99d591\r\InputPersonalization.exe" /grant "everyone":(f)
      4⤵
      PID:3580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.4412_none_b457a6037b99d591\r\ShapeCollector.exe"
    3⤵
    PID:3432
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.4412_none_b457a6037b99d591\r\ShapeCollector.exe"
      4⤵
      PID:3036
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.4412_none_b457a6037b99d591\r\ShapeCollector.exe" /grant "everyone":(f)
      4⤵
      PID:1840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.4412_none_b457a6037b99d591\ShapeCollector.exe"
    3⤵
    PID:1932
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.4412_none_b457a6037b99d591\ShapeCollector.exe"
      4⤵
      PID:2432
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.4412_none_b457a6037b99d591\ShapeCollector.exe" /grant "everyone":(f)
      4⤵
      PID:4816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\f\InputPersonalization.exe"
    3⤵
    PID:2864
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\f\InputPersonalization.exe"
      4⤵
      PID:2028
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\f\InputPersonalization.exe" /grant "everyone":(f)
      4⤵
      PID:5116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\f\ShapeCollector.exe"
    3⤵
    PID:1628
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3212
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\f\ShapeCollector.exe"
      4⤵
      PID:3800
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\f\ShapeCollector.exe" /grant "everyone":(f)
      4⤵
      PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\InputPersonalization.exe"
    3⤵
    PID:3164
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\InputPersonalization.exe"
      4⤵
      PID:3440
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\InputPersonalization.exe" /grant "everyone":(f)
      4⤵
      PID:4780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\r\InputPersonalization.exe"
    3⤵
    PID:4136
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\r\InputPersonalization.exe"
      4⤵
      PID:1916
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\r\InputPersonalization.exe" /grant "everyone":(f)
      4⤵
      PID:4528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\r\ShapeCollector.exe"
    3⤵
    PID:620
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4720
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\r\ShapeCollector.exe"
      4⤵
      PID:3676
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\r\ShapeCollector.exe" /grant "everyone":(f)
      4⤵
      PID:4348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\ShapeCollector.exe"
    3⤵
    PID:3488
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\ShapeCollector.exe"
      4⤵
      PID:860
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\ShapeCollector.exe" /grant "everyone":(f)
      4⤵
      PID:2828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..onagent-proxyobject_31bf3856ad364e35_10.0.19041.1_none_19667e7e60cb0ccd\RdpSaProxy.exe"
    3⤵
    PID:4644
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..onagent-proxyobject_31bf3856ad364e35_10.0.19041.1_none_19667e7e60cb0ccd\RdpSaProxy.exe"
      4⤵
      PID:3596
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..onagent-proxyobject_31bf3856ad364e35_10.0.19041.1_none_19667e7e60cb0ccd\RdpSaProxy.exe" /grant "everyone":(f)
      4⤵
      PID:756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..onagent-proxyobject_31bf3856ad364e35_10.0.19041.3636_none_d80d07be76c1fa88\f\RdpSaProxy.exe"
    3⤵
    PID:3528
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..onagent-proxyobject_31bf3856ad364e35_10.0.19041.3636_none_d80d07be76c1fa88\f\RdpSaProxy.exe"
      4⤵
      PID:824
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..onagent-proxyobject_31bf3856ad364e35_10.0.19041.3636_none_d80d07be76c1fa88\f\RdpSaProxy.exe" /grant "everyone":(f)
      4⤵
      PID:1940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..onagent-proxyobject_31bf3856ad364e35_10.0.19041.3636_none_d80d07be76c1fa88\r\RdpSaProxy.exe"
    3⤵
    PID:3696
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..onagent-proxyobject_31bf3856ad364e35_10.0.19041.3636_none_d80d07be76c1fa88\r\RdpSaProxy.exe"
      4⤵
      PID:3960
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..onagent-proxyobject_31bf3856ad364e35_10.0.19041.3636_none_d80d07be76c1fa88\r\RdpSaProxy.exe" /grant "everyone":(f)
      4⤵
      PID:4584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..onagent-proxyobject_31bf3856ad364e35_10.0.19041.3636_none_d80d07be76c1fa88\RdpSaProxy.exe"
    3⤵
    PID:2664
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..onagent-proxyobject_31bf3856ad364e35_10.0.19041.3636_none_d80d07be76c1fa88\RdpSaProxy.exe"
      4⤵
      PID:3160
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..onagent-proxyobject_31bf3856ad364e35_10.0.19041.3636_none_d80d07be76c1fa88\RdpSaProxy.exe" /grant "everyone":(f)
      4⤵
      PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.388_none_57e235d809a12c5b\f\UIMgrBroker.exe"
    3⤵
    PID:2516
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.388_none_57e235d809a12c5b\f\UIMgrBroker.exe"
      4⤵
      PID:4108
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.388_none_57e235d809a12c5b\f\UIMgrBroker.exe" /grant "everyone":(f)
      4⤵
      PID:8
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.388_none_57e235d809a12c5b\r\UIMgrBroker.exe"
    3⤵
    PID:2476
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.388_none_57e235d809a12c5b\r\UIMgrBroker.exe"
      4⤵
      PID:3036
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.388_none_57e235d809a12c5b\r\UIMgrBroker.exe" /grant "everyone":(f)
      4⤵
      PID:3572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.388_none_57e235d809a12c5b\UIMgrBroker.exe"
    3⤵
    PID:4732
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.388_none_57e235d809a12c5b\UIMgrBroker.exe"
      4⤵
      PID:4500
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.388_none_57e235d809a12c5b\UIMgrBroker.exe" /grant "everyone":(f)
      4⤵
      PID:4536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.4355_none_eecc51895fed7057\f\UIMgrBroker.exe"
    3⤵
    PID:3120
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.4355_none_eecc51895fed7057\f\UIMgrBroker.exe"
      4⤵
      PID:2576
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.4355_none_eecc51895fed7057\f\UIMgrBroker.exe" /grant "everyone":(f)
      4⤵
      PID:2392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.4355_none_eecc51895fed7057\r\UIMgrBroker.exe"
    3⤵
    PID:1280
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.4355_none_eecc51895fed7057\r\UIMgrBroker.exe"
      4⤵
      PID:2176
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.4355_none_eecc51895fed7057\r\UIMgrBroker.exe" /grant "everyone":(f)
      4⤵
      PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.4355_none_eecc51895fed7057\UIMgrBroker.exe"
    3⤵
    PID:1988
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3024
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.4355_none_eecc51895fed7057\UIMgrBroker.exe"
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:968
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..ork-uimanagerbroker_31bf3856ad364e35_10.0.19041.4355_none_eecc51895fed7057\UIMgrBroker.exe" /grant "everyone":(f)
      4⤵
      PID:4644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..rvices-sessionagent_31bf3856ad364e35_10.0.19041.1_none_31431424ec14de3f\RdpSa.exe"
    3⤵
    PID:1828
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..rvices-sessionagent_31bf3856ad364e35_10.0.19041.1_none_31431424ec14de3f\RdpSa.exe"
      4⤵
      PID:1100
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..rvices-sessionagent_31bf3856ad364e35_10.0.19041.1_none_31431424ec14de3f\RdpSa.exe" /grant "everyone":(f)
      4⤵
      PID:3528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..rvices-sessionagent_31bf3856ad364e35_10.0.19041.3636_none_efe99d65020bcbfa\f\RdpSa.exe"
    3⤵
    PID:4132
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3708
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..rvices-sessionagent_31bf3856ad364e35_10.0.19041.3636_none_efe99d65020bcbfa\f\RdpSa.exe"
      4⤵
      PID:4584
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..rvices-sessionagent_31bf3856ad364e35_10.0.19041.3636_none_efe99d65020bcbfa\f\RdpSa.exe" /grant "everyone":(f)
      4⤵
      PID:3132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..rvices-sessionagent_31bf3856ad364e35_10.0.19041.3636_none_efe99d65020bcbfa\r\RdpSa.exe"
    3⤵
    PID:640
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..rvices-sessionagent_31bf3856ad364e35_10.0.19041.3636_none_efe99d65020bcbfa\r\RdpSa.exe"
      4⤵
      PID:576
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..rvices-sessionagent_31bf3856ad364e35_10.0.19041.3636_none_efe99d65020bcbfa\r\RdpSa.exe" /grant "everyone":(f)
      4⤵
      PID:764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..rvices-sessionagent_31bf3856ad364e35_10.0.19041.3636_none_efe99d65020bcbfa\RdpSa.exe"
    3⤵
    PID:5016
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..rvices-sessionagent_31bf3856ad364e35_10.0.19041.3636_none_efe99d65020bcbfa\RdpSa.exe"
      4⤵
      PID:8
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..rvices-sessionagent_31bf3856ad364e35_10.0.19041.3636_none_efe99d65020bcbfa\RdpSa.exe" /grant "everyone":(f)
      4⤵
      PID:1224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.3636_none_af6a305578807f3c\f\sessionmsg.exe"
    3⤵
    PID:2720
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.3636_none_af6a305578807f3c\f\sessionmsg.exe"
      4⤵
      PID:3652
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.3636_none_af6a305578807f3c\f\sessionmsg.exe" /grant "everyone":(f)
      4⤵
      PID:4548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.3636_none_af6a305578807f3c\r\sessionmsg.exe"
    3⤵
    PID:3812
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.3636_none_af6a305578807f3c\r\sessionmsg.exe"
      4⤵
      PID:3880
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.3636_none_af6a305578807f3c\r\sessionmsg.exe" /grant "everyone":(f)
      4⤵
      PID:4044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.3636_none_af6a305578807f3c\sessionmsg.exe"
    3⤵
    PID:3868
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.3636_none_af6a305578807f3c\sessionmsg.exe"
      4⤵
      Possible privilege escalation attempt
      PID:4628
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.3636_none_af6a305578807f3c\sessionmsg.exe" /grant "everyone":(f)
      4⤵
      PID:3944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.746_none_18cbe45e21fb4fcb\f\sessionmsg.exe"
    3⤵
    PID:4776
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.746_none_18cbe45e21fb4fcb\f\sessionmsg.exe"
      4⤵
      PID:1696
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.746_none_18cbe45e21fb4fcb\f\sessionmsg.exe" /grant "everyone":(f)
      4⤵
      PID:4468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.746_none_18cbe45e21fb4fcb\r\sessionmsg.exe"
    3⤵
    PID:1932
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.746_none_18cbe45e21fb4fcb\r\sessionmsg.exe"
      4⤵
      PID:1764
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.746_none_18cbe45e21fb4fcb\r\sessionmsg.exe" /grant "everyone":(f)
      4⤵
      PID:4828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.746_none_18cbe45e21fb4fcb\sessionmsg.exe"
    3⤵
    PID:1400
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.746_none_18cbe45e21fb4fcb\sessionmsg.exe"
      4⤵
      PID:2604
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..services-sessionmsg_31bf3856ad364e35_10.0.19041.746_none_18cbe45e21fb4fcb\sessionmsg.exe" /grant "everyone":(f)
      4⤵
      PID:3256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..sionagent-uachelper_31bf3856ad364e35_10.0.19041.1_none_70aae5f3051c8851\RdpSaUacHelper.exe"
    3⤵
    PID:2364
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..sionagent-uachelper_31bf3856ad364e35_10.0.19041.1_none_70aae5f3051c8851\RdpSaUacHelper.exe"
      4⤵
      PID:3160
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..sionagent-uachelper_31bf3856ad364e35_10.0.19041.1_none_70aae5f3051c8851\RdpSaUacHelper.exe" /grant "everyone":(f)
      4⤵
      PID:892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..sionagent-uachelper_31bf3856ad364e35_10.0.19041.3636_none_2f516f331b13760c\f\RdpSaUacHelper.exe"
    3⤵
    PID:1860
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..sionagent-uachelper_31bf3856ad364e35_10.0.19041.3636_none_2f516f331b13760c\f\RdpSaUacHelper.exe"
      4⤵
      PID:2280
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..sionagent-uachelper_31bf3856ad364e35_10.0.19041.3636_none_2f516f331b13760c\f\RdpSaUacHelper.exe" /grant "everyone":(f)
      4⤵
      PID:4236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..sionagent-uachelper_31bf3856ad364e35_10.0.19041.3636_none_2f516f331b13760c\r\RdpSaUacHelper.exe"
    3⤵
    PID:3816
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..sionagent-uachelper_31bf3856ad364e35_10.0.19041.3636_none_2f516f331b13760c\r\RdpSaUacHelper.exe"
      4⤵
      PID:3196
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..sionagent-uachelper_31bf3856ad364e35_10.0.19041.3636_none_2f516f331b13760c\r\RdpSaUacHelper.exe" /grant "everyone":(f)
      4⤵
      PID:2968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-t..sionagent-uachelper_31bf3856ad364e35_10.0.19041.3636_none_2f516f331b13760c\RdpSaUacHelper.exe"
    3⤵
    PID:3868
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-t..sionagent-uachelper_31bf3856ad364e35_10.0.19041.3636_none_2f516f331b13760c\RdpSaUacHelper.exe"
      4⤵
      Possible privilege escalation attempt
      PID:4468
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-t..sionagent-uachelper_31bf3856ad364e35_10.0.19041.3636_none_2f516f331b13760c\RdpSaUacHelper.exe" /grant "everyone":(f)
      4⤵
      PID:4368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-controlpanel_31bf3856ad364e35_10.0.19041.1_none_95647fabfa4ec9fe\MultiDigiMon.exe"
    3⤵
    PID:3916
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-controlpanel_31bf3856ad364e35_10.0.19041.1_none_95647fabfa4ec9fe\MultiDigiMon.exe"
      4⤵
      PID:1604
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-controlpanel_31bf3856ad364e35_10.0.19041.1_none_95647fabfa4ec9fe\MultiDigiMon.exe" /grant "everyone":(f)
      4⤵
      PID:4736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-controlpanel_31bf3856ad364e35_10.0.19041.1_none_95647fabfa4ec9fe\tabcal.exe"
    3⤵
    PID:1492
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-controlpanel_31bf3856ad364e35_10.0.19041.1_none_95647fabfa4ec9fe\tabcal.exe"
      4⤵
      PID:1116
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-controlpanel_31bf3856ad364e35_10.0.19041.1_none_95647fabfa4ec9fe\tabcal.exe" /grant "everyone":(f)
      4⤵
      PID:1920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.4355_none_864935902cbc83b5\f\TabTip.exe"
    3⤵
    PID:1964
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.4355_none_864935902cbc83b5\f\TabTip.exe"
      4⤵
      PID:1400
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.4355_none_864935902cbc83b5\f\TabTip.exe" /grant "everyone":(f)
      4⤵
      PID:3632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.4355_none_864935902cbc83b5\r\TabTip.exe"
    3⤵
    PID:1100
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.4355_none_864935902cbc83b5\r\TabTip.exe"
      4⤵
      PID:2648
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.4355_none_864935902cbc83b5\r\TabTip.exe" /grant "everyone":(f)
      4⤵
      PID:4084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.4355_none_864935902cbc83b5\TabTip.exe"
    3⤵
    PID:4064
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.4355_none_864935902cbc83b5\TabTip.exe"
      4⤵
      PID:4384
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.4355_none_864935902cbc83b5\TabTip.exe" /grant "everyone":(f)
      4⤵
      PID:3252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.844_none_ef8661e4d6535c5c\f\TabTip.exe"
    3⤵
    PID:1284
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1192
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.844_none_ef8661e4d6535c5c\f\TabTip.exe"
      4⤵
      PID:1960
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.844_none_ef8661e4d6535c5c\f\TabTip.exe" /grant "everyone":(f)
      4⤵
      PID:1828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.844_none_ef8661e4d6535c5c\r\TabTip.exe"
    3⤵
    PID:5016
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.844_none_ef8661e4d6535c5c\r\TabTip.exe"
      4⤵
      PID:3704
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.844_none_ef8661e4d6535c5c\r\TabTip.exe" /grant "everyone":(f)
      4⤵
      Modifies file permissions
      PID:1224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.844_none_ef8661e4d6535c5c\TabTip.exe"
    3⤵
    PID:2516
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.844_none_ef8661e4d6535c5c\TabTip.exe"
      4⤵
      PID:4208
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.844_none_ef8661e4d6535c5c\TabTip.exe" /grant "everyone":(f)
      4⤵
      PID:840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-takeown_31bf3856ad364e35_10.0.19041.1_none_afdc734db4fba076\takeown.exe"
    3⤵
    PID:4672
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-takeown_31bf3856ad364e35_10.0.19041.1_none_afdc734db4fba076\takeown.exe"
      4⤵
      PID:4284
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-takeown_31bf3856ad364e35_10.0.19041.1_none_afdc734db4fba076\takeown.exe" /grant "everyone":(f)
      4⤵
      PID:4740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-tapicore_31bf3856ad364e35_10.0.19041.3636_none_58d16f4dfbeb0e8d\dialer.exe"
    3⤵
    PID:4196
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-tapicore_31bf3856ad364e35_10.0.19041.3636_none_58d16f4dfbeb0e8d\dialer.exe"
      4⤵
      PID:3932
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-tapicore_31bf3856ad364e35_10.0.19041.3636_none_58d16f4dfbeb0e8d\dialer.exe" /grant "everyone":(f)
      4⤵
      PID:4180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-tapicore_31bf3856ad364e35_10.0.19041.746_none_c2332356a565df1c\dialer.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1932
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-tapicore_31bf3856ad364e35_10.0.19041.746_none_c2332356a565df1c\dialer.exe"
      4⤵
      PID:3036
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-tapicore_31bf3856ad364e35_10.0.19041.746_none_c2332356a565df1c\dialer.exe" /grant "everyone":(f)
      4⤵
      System Location Discovery: System Language Discovery
      PID:1784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-tapisetup_31bf3856ad364e35_10.0.19041.3636_none_de8ac187507e7a17\TapiUnattend.exe"
    3⤵
    PID:2728
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-tapisetup_31bf3856ad364e35_10.0.19041.3636_none_de8ac187507e7a17\TapiUnattend.exe"
      4⤵
      PID:620
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-tapisetup_31bf3856ad364e35_10.0.19041.3636_none_de8ac187507e7a17\TapiUnattend.exe" /grant "everyone":(f)
      4⤵
      PID:5008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-tapisetup_31bf3856ad364e35_10.0.19041.746_none_47ec758ff9f94aa6\TapiUnattend.exe"
    3⤵
    PID:900
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-tapisetup_31bf3856ad364e35_10.0.19041.746_none_47ec758ff9f94aa6\TapiUnattend.exe"
      4⤵
      PID:4296
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-tapisetup_31bf3856ad364e35_10.0.19041.746_none_47ec758ff9f94aa6\TapiUnattend.exe" /grant "everyone":(f)
      4⤵
      PID:1280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.4474_none_9cf00f930f96448e\f\taskhostw.exe"
    3⤵
    PID:4060
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1612
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.4474_none_9cf00f930f96448e\f\taskhostw.exe"
      4⤵
      PID:2464
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.4474_none_9cf00f930f96448e\f\taskhostw.exe" /grant "everyone":(f)
      4⤵
      PID:2116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.4474_none_9cf00f930f96448e\r\taskhostw.exe"
    3⤵
    PID:3704
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.4474_none_9cf00f930f96448e\r\taskhostw.exe"
      4⤵
      PID:3840
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.4474_none_9cf00f930f96448e\r\taskhostw.exe" /grant "everyone":(f)
      4⤵
      PID:4032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.4474_none_9cf00f930f96448e\taskhostw.exe"
    3⤵
    PID:652
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.4474_none_9cf00f930f96448e\taskhostw.exe"
      4⤵
      PID:4108
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.4474_none_9cf00f930f96448e\taskhostw.exe" /grant "everyone":(f)
      4⤵
      PID:3876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.906_none_066336a1b904a848\f\taskhostw.exe"
    3⤵
    PID:4312
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.906_none_066336a1b904a848\f\taskhostw.exe"
      4⤵
      PID:4072
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.906_none_066336a1b904a848\f\taskhostw.exe" /grant "everyone":(f)
      4⤵
      PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.906_none_066336a1b904a848\r\taskhostw.exe"
    3⤵
    PID:3648
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.906_none_066336a1b904a848\r\taskhostw.exe"
      4⤵
      PID:3932
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.906_none_066336a1b904a848\r\taskhostw.exe" /grant "everyone":(f)
      4⤵
      System Location Discovery: System Language Discovery
      PID:1264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.906_none_066336a1b904a848\taskhostw.exe"
    3⤵
    PID:1116
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f "C:\Windows\WinSxS\amd64_microsoft-windows-taskhost_31bf3856ad364e35_10.0.19041.906_none_066336a1b904a848\taskhostw.exe"
      4⤵
      PID:2096
- C:\Users\Admin\Downloads\trash_malware\trash malware\mbrsetup.exe
  "C:\Users\Admin\Downloads\trash_malware\trash malware\mbrsetup.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:1536

C:\Windows\msagent\AgentSvr.exe
C:\Windows\msagent\AgentSvr.exe -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1020

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4d4 0x500
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious use of SendNotifyMessage
PID:3580

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1800

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4032

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4508

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:3048

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious use of SendNotifyMessage
PID:4396

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3572

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2868

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2164

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious use of SendNotifyMessage
PID:1756

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4120

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3256

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3816

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:4932

Network

DNS

temp.sh

firefox.exe

Remote address:

8.8.8.8:53

Request

temp.sh

IN A

Response

temp.sh

IN A

51.91.79.17
GET

http://temp.sh/ennfh/trash_malware.zip

firefox.exe

Remote address:

51.91.79.17:80

Request

GET /ennfh/trash_malware.zip HTTP/1.1
Host: temp.sh
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1

Response

HTTP/1.1 301 Moved Permanently

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 06 Mar 2025 21:11:36 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: https://temp.sh/ennfh/trash_malware.zip
DNS

temp.sh

firefox.exe

Remote address:

8.8.8.8:53

Request

temp.sh

IN A

Response

temp.sh

IN A

51.91.79.17
DNS

spocs.getpocket.com

firefox.exe

Remote address:

8.8.8.8:53

Request

spocs.getpocket.com

IN A

Response

spocs.getpocket.com

IN CNAME

prod.ads.prod.webservices.mozgcp.net

prod.ads.prod.webservices.mozgcp.net

IN A

34.117.188.166
DNS

firefox-api-proxy.cdn.mozilla.net

firefox.exe

Remote address:

8.8.8.8:53

Request

firefox-api-proxy.cdn.mozilla.net

IN A

Response

firefox-api-proxy.cdn.mozilla.net

IN CNAME

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

IN A

34.149.97.1
DNS

temp.sh

firefox.exe

Remote address:

8.8.8.8:53

Request

temp.sh

IN AAAA

Response
GET

https://temp.sh/ennfh/trash_malware.zip

firefox.exe

Remote address:

51.91.79.17:443

Request

GET /ennfh/trash_malware.zip HTTP/1.1
Host: temp.sh
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 06 Mar 2025 21:11:37 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Content-Encoding: gzip
GET

https://temp.sh/favicon.ico

firefox.exe

Remote address:

51.91.79.17:443

Request

GET /favicon.ico HTTP/1.1
Host: temp.sh
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer: https://temp.sh/ennfh/trash_malware.zip
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin

Response

HTTP/1.1 404 NOT FOUND

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 06 Mar 2025 21:11:39 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Content-Encoding: gzip
POST

https://temp.sh/ennfh/trash_malware.zip

firefox.exe

Remote address:

51.91.79.17:443

Request

POST /ennfh/trash_malware.zip HTTP/1.1
Host: temp.sh
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Origin: https://temp.sh
Connection: keep-alive
Referer: https://temp.sh/ennfh/trash_malware.zip
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 06 Mar 2025 21:11:50 GMT
Content-Type: application/zip
Content-Length: 39820371
Connection: keep-alive
Content-Disposition: attachment; filename=trash_malware.zip
Last-Modified: Thu, 06 Mar 2025 21:10:26 GMT
Cache-Control: no-cache
DNS

prod.content-signature-chains.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.content-signature-chains.prod.webservices.mozgcp.net

IN A

Response

prod.content-signature-chains.prod.webservices.mozgcp.net

IN A

34.160.144.191
DNS

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

IN A

Response

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

IN A

34.149.97.1
DNS

prod.ads.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.ads.prod.webservices.mozgcp.net

IN A

Response

prod.ads.prod.webservices.mozgcp.net

IN A

34.117.188.166
DNS

shavar.prod.mozaws.net

firefox.exe

Remote address:

8.8.8.8:53

Request

shavar.prod.mozaws.net

IN A

Response

shavar.prod.mozaws.net

IN A

44.229.113.109

shavar.prod.mozaws.net

IN A

52.27.153.171

shavar.prod.mozaws.net

IN A

44.231.118.238
DNS

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

IN AAAA

Response

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

IN AAAA

2600:1901:0:74e4::
DNS

prod.content-signature-chains.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.content-signature-chains.prod.webservices.mozgcp.net

IN AAAA

Response

prod.content-signature-chains.prod.webservices.mozgcp.net

IN AAAA

2600:1901:0:92a9::
DNS

prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.remote-settings.prod.webservices.mozgcp.net

IN A

Response

prod.remote-settings.prod.webservices.mozgcp.net

IN A

34.149.100.209
DNS

prod.ads.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.ads.prod.webservices.mozgcp.net

IN AAAA

Response
DNS

shavar.prod.mozaws.net

firefox.exe

Remote address:

8.8.8.8:53

Request

shavar.prod.mozaws.net

IN AAAA

Response
DNS

prod.remote-settings.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.remote-settings.prod.webservices.mozgcp.net

IN AAAA

Response

prod.remote-settings.prod.webservices.mozgcp.net

IN AAAA

2600:1901:0:c47c::
DNS

tracking-protection.cdn.mozilla.net

firefox.exe

Remote address:

8.8.8.8:53

Request

tracking-protection.cdn.mozilla.net

IN A

Response

tracking-protection.cdn.mozilla.net

IN CNAME

tracking-protection.prod.mozaws.net

tracking-protection.prod.mozaws.net

IN A

34.120.158.37
GET

https://tracking-protection.cdn.mozilla.net/ads-track-digest256/124.0/1709232643

firefox.exe

Remote address:

34.120.158.37:443

Request

GET /ads-track-digest256/124.0/1709232643 HTTP/2.0
host: tracking-protection.cdn.mozilla.net
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: none
pragma: no-cache
cache-control: no-cache
te: trailers
DNS

tracking-protection.prod.mozaws.net

firefox.exe

Remote address:

8.8.8.8:53

Request

tracking-protection.prod.mozaws.net

IN A

Response

tracking-protection.prod.mozaws.net

IN A

34.120.158.37
DNS

tracking-protection.prod.mozaws.net

firefox.exe

Remote address:

8.8.8.8:53

Request

tracking-protection.prod.mozaws.net

IN AAAA

Response
DNS

tracking-protection.cdn.mozilla.net

firefox.exe

Remote address:

8.8.8.8:53

Request

tracking-protection.cdn.mozilla.net

IN A

Response

tracking-protection.cdn.mozilla.net

IN CNAME

tracking-protection.prod.mozaws.net

tracking-protection.prod.mozaws.net

IN A

34.120.158.37
GET

https://tracking-protection.cdn.mozilla.net/social-track-digest256/124.0/1716839516

firefox.exe

Remote address:

34.120.158.37:443

Request

GET /social-track-digest256/124.0/1716839516 HTTP/2.0
host: tracking-protection.cdn.mozilla.net
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: none
pragma: no-cache
cache-control: no-cache
te: trailers
GET

https://tracking-protection.cdn.mozilla.net/analytics-track-digest256/124.0/1709232643

firefox.exe

Remote address:

34.120.158.37:443

Request

GET /analytics-track-digest256/124.0/1709232643 HTTP/2.0
host: tracking-protection.cdn.mozilla.net
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: none
pragma: no-cache
cache-control: no-cache
te: trailers
GET

https://tracking-protection.cdn.mozilla.net/content-track-digest256/124.0/1709232643

firefox.exe

Remote address:

34.120.158.37:443

Request

GET /content-track-digest256/124.0/1709232643 HTTP/2.0
host: tracking-protection.cdn.mozilla.net
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: none
pragma: no-cache
cache-control: no-cache
te: trailers
GET

https://tracking-protection.cdn.mozilla.net/mozstd-trackwhite-digest256/124.0/1716839516

firefox.exe

Remote address:

34.120.158.37:443

Request

GET /mozstd-trackwhite-digest256/124.0/1716839516 HTTP/2.0
host: tracking-protection.cdn.mozilla.net
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: none
pragma: no-cache
cache-control: no-cache
te: trailers
GET

https://tracking-protection.cdn.mozilla.net/google-trackwhite-digest256/124.0/1709232643

firefox.exe

Remote address:

34.120.158.37:443

Request

GET /google-trackwhite-digest256/124.0/1709232643 HTTP/2.0
host: tracking-protection.cdn.mozilla.net
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: none
pragma: no-cache
cache-control: no-cache
te: trailers
GET

https://tracking-protection.cdn.mozilla.net/base-fingerprinting-track-digest256/124.0/1709232643

firefox.exe

Remote address:

34.120.158.37:443

Request

GET /base-fingerprinting-track-digest256/124.0/1709232643 HTTP/2.0
host: tracking-protection.cdn.mozilla.net
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: none
pragma: no-cache
cache-control: no-cache
te: trailers
GET

https://tracking-protection.cdn.mozilla.net/base-cryptomining-track-digest256/124.0/1709232643

firefox.exe

Remote address:

34.120.158.37:443

Request

GET /base-cryptomining-track-digest256/124.0/1709232643 HTTP/2.0
host: tracking-protection.cdn.mozilla.net
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: none
pragma: no-cache
cache-control: no-cache
te: trailers
GET

https://tracking-protection.cdn.mozilla.net/social-tracking-protection-facebook-digest256/124.0/1709232643

firefox.exe

Remote address:

34.120.158.37:443

Request

GET /social-tracking-protection-facebook-digest256/124.0/1709232643 HTTP/2.0
host: tracking-protection.cdn.mozilla.net
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: none
pragma: no-cache
cache-control: no-cache
te: trailers
GET

https://tracking-protection.cdn.mozilla.net/social-tracking-protection-linkedin-digest256/124.0/1709232643

firefox.exe

Remote address:

34.120.158.37:443

Request

GET /social-tracking-protection-linkedin-digest256/124.0/1709232643 HTTP/2.0
host: tracking-protection.cdn.mozilla.net
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: none
pragma: no-cache
cache-control: no-cache
te: trailers
GET

https://tracking-protection.cdn.mozilla.net/social-tracking-protection-twitter-digest256/124.0/1716839516

firefox.exe

Remote address:

34.120.158.37:443

Request

GET /social-tracking-protection-twitter-digest256/124.0/1716839516 HTTP/2.0
host: tracking-protection.cdn.mozilla.net
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: none
pragma: no-cache
cache-control: no-cache
te: trailers
GET

https://tracking-protection.cdn.mozilla.net/base-email-track-digest256/124.0/1709232643

firefox.exe

Remote address:

34.120.158.37:443

Request

GET /base-email-track-digest256/124.0/1709232643 HTTP/2.0
host: tracking-protection.cdn.mozilla.net
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: none
pragma: no-cache
cache-control: no-cache
te: trailers
GET

https://tracking-protection.cdn.mozilla.net/content-email-track-digest256/124.0/1709232643

firefox.exe

Remote address:

34.120.158.37:443

Request

GET /content-email-track-digest256/124.0/1709232643 HTTP/2.0
host: tracking-protection.cdn.mozilla.net
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
sec-fetch-dest: empty
sec-fetch-mode: no-cors
sec-fetch-site: none
pragma: no-cache
cache-control: no-cache
te: trailers
DNS

location.services.mozilla.com

firefox.exe

Remote address:

8.8.8.8:53

Request

location.services.mozilla.com

IN A

Response

location.services.mozilla.com

IN CNAME

prod.classify-client.prod.webservices.mozgcp.net

prod.classify-client.prod.webservices.mozgcp.net

IN A

35.190.72.216
DNS

prod.balrog.prod.cloudops.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.balrog.prod.cloudops.mozgcp.net

IN A

Response

prod.balrog.prod.cloudops.mozgcp.net

IN A

35.244.181.201
DNS

prod.classify-client.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.classify-client.prod.webservices.mozgcp.net

IN A

Response

prod.classify-client.prod.webservices.mozgcp.net

IN A

35.190.72.216
DNS

prod.balrog.prod.cloudops.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.balrog.prod.cloudops.mozgcp.net

IN AAAA

Response

prod.balrog.prod.cloudops.mozgcp.net

IN AAAA

2600:1901:0:5133::
DNS

prod.classify-client.prod.webservices.mozgcp.net

firefox.exe

Remote address:

8.8.8.8:53

Request

prod.classify-client.prod.webservices.mozgcp.net

IN AAAA

Response
DNS

ciscobinary.openh264.org

firefox.exe

Remote address:

8.8.8.8:53

Request

ciscobinary.openh264.org

IN A

Response

ciscobinary.openh264.org

IN CNAME

a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com

a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com

IN CNAME

a17.rackcdn.com

a17.rackcdn.com

IN CNAME

a17.rackcdn.com.mdc.edgesuite.net

a17.rackcdn.com.mdc.edgesuite.net

IN CNAME

a19.dscg10.akamai.net

a19.dscg10.akamai.net

IN A

23.55.161.185

a19.dscg10.akamai.net

IN A

23.55.161.211
DNS

redirector.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

redirector.gvt1.com

IN A

Response

redirector.gvt1.com

IN A

172.217.16.238
GET

http://ciscobinary.openh264.org/openh264-win64-31c4d2e4a037526fd30d4e5c39f60885986cf865.zip

firefox.exe

Remote address:

23.55.161.185:80

Request

GET /openh264-win64-31c4d2e4a037526fd30d4e5c39f60885986cf865.zip HTTP/1.1
Host: ciscobinary.openh264.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

Response

HTTP/1.1 200 OK

Content-Length: 491284
Accept-Ranges: bytes
Last-Modified: Wed, 05 Mar 2025 03:56:03 GMT
ETag: 09372174e83dbbf696ee732fd2e875bb
X-Timestamp: 1741146962.66478
Content-Type: application/zip
X-Trans-Id: txab46db5f97164e98a0bd9-0067c7d396dfw1
Cache-Control: public, max-age=112695
Expires: Sat, 08 Mar 2025 04:30:22 GMT
Date: Thu, 06 Mar 2025 21:12:07 GMT
Connection: keep-alive
DNS

a19.dscg10.akamai.net

firefox.exe

Remote address:

8.8.8.8:53

Request

a19.dscg10.akamai.net

IN A

Response

a19.dscg10.akamai.net

IN A

23.55.161.211

a19.dscg10.akamai.net

IN A

23.55.161.185
GET

https://redirector.gvt1.com/edgedl/widevine-cdm/4.10.2710.0-win-x64.zip

firefox.exe

Remote address:

172.217.16.238:443

Request

GET /edgedl/widevine-cdm/4.10.2710.0-win-x64.zip HTTP/2.0
host: redirector.gvt1.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
te: trailers
DNS

redirector.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

redirector.gvt1.com

IN A

Response

redirector.gvt1.com

IN A

172.217.16.238
DNS

a19.dscg10.akamai.net

firefox.exe

Remote address:

8.8.8.8:53

Request

a19.dscg10.akamai.net

IN AAAA

Response

a19.dscg10.akamai.net

IN AAAA

2a02:26f0:1700:f::1737:a1d3

a19.dscg10.akamai.net

IN AAAA

2a02:26f0:1700:f::1737:a1b9
DNS

redirector.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

redirector.gvt1.com

IN AAAA

Response

redirector.gvt1.com

IN AAAA

2a00:1450:4009:821::200e
DNS

r3---sn-aigzrnsl.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

r3---sn-aigzrnsl.gvt1.com

IN A

Response

r3---sn-aigzrnsl.gvt1.com

IN CNAME

r3.sn-aigzrnsl.gvt1.com

r3.sn-aigzrnsl.gvt1.com

IN A

74.125.168.232
GET

https://r3---sn-aigzrnsl.gvt1.com/edgedl/widevine-cdm/4.10.2710.0-win-x64.zip?cms_redirect=yes&met=1741295527,&mh=R8&mip=212.102.63.147&mm=28&mn=sn-aigzrnsl&ms=nvh&mt=1741295055&mv=m&mvi=3&pl=24&rmhost=r2---sn-aigzrnsl.gvt1.com&rms=nvh,nvh&shardbypass=sd&smhost=r2---sn-aigzrn7s.gvt1.com

firefox.exe

Remote address:

74.125.168.232:443

Request

GET /edgedl/widevine-cdm/4.10.2710.0-win-x64.zip?cms_redirect=yes&met=1741295527,&mh=R8&mip=212.102.63.147&mm=28&mn=sn-aigzrnsl&ms=nvh&mt=1741295055&mv=m&mvi=3&pl=24&rmhost=r2---sn-aigzrnsl.gvt1.com&rms=nvh,nvh&shardbypass=sd&smhost=r2---sn-aigzrn7s.gvt1.com HTTP/1.1
Host: r3---sn-aigzrnsl.gvt1.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Cache-Control: public,max-age=86400
Content-Disposition: attachment
Content-Length: 14485862
Content-Security-Policy: default-src 'none'
Content-Type: application/zip
Etag: "1d3918c"
Server: downloads
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 0
Date: Thu, 06 Mar 2025 20:54:17 GMT
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Last-Modified: Thu, 05 Oct 2023 00:56:47 GMT
Connection: keep-alive
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,quic=":443"; ma=2592000; v="46"
Vary: Origin
DNS

r3.sn-aigzrnsl.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

r3.sn-aigzrnsl.gvt1.com

IN A

Response

r3.sn-aigzrnsl.gvt1.com

IN A

74.125.168.232
DNS

r3.sn-aigzrnsl.gvt1.com

firefox.exe

Remote address:

8.8.8.8:53

Request

r3.sn-aigzrnsl.gvt1.com

IN AAAA

Response

r3.sn-aigzrnsl.gvt1.com

IN AAAA

2a00:1450:4009:15::8
GET

https://redirector.gvt1.com/edgedl/widevine-cdm/4.10.2710.0-win-x64.zip

firefox.exe

Remote address:

172.217.16.238:443

Request

GET /edgedl/widevine-cdm/4.10.2710.0-win-x64.zip HTTP/2.0
host: redirector.gvt1.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
accept: */*
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
te: trailers
GET

https://r3---sn-aigzrnsl.gvt1.com/edgedl/widevine-cdm/4.10.2710.0-win-x64.zip?cms_redirect=yes&met=1741295531,&mh=R8&mip=212.102.63.147&mm=28&mn=sn-aigzrnsl&ms=nvh&mt=1741295055&mv=m&mvi=3&pl=24&rmhost=r2---sn-aigzrnsl.gvt1.com&rms=nvh,nvh&shardbypass=sd&smhost=r2---sn-aigzrn7s.gvt1.com

firefox.exe

Remote address:

74.125.168.232:443

Request

GET /edgedl/widevine-cdm/4.10.2710.0-win-x64.zip?cms_redirect=yes&met=1741295531,&mh=R8&mip=212.102.63.147&mm=28&mn=sn-aigzrnsl&ms=nvh&mt=1741295055&mv=m&mvi=3&pl=24&rmhost=r2---sn-aigzrnsl.gvt1.com&rms=nvh,nvh&shardbypass=sd&smhost=r2---sn-aigzrn7s.gvt1.com HTTP/1.1
Host: r3---sn-aigzrnsl.gvt1.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Cache-Control: public,max-age=86400
Content-Disposition: attachment
Content-Length: 14485862
Content-Security-Policy: default-src 'none'
Content-Type: application/zip
Etag: "1d3918c"
Server: downloads
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 0
Date: Thu, 06 Mar 2025 20:54:17 GMT
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Last-Modified: Thu, 05 Oct 2023 00:56:47 GMT
Connection: keep-alive
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,quic=":443"; ma=2592000; v="46"
Vary: Origin
DNS

checkappexec.microsoft.com

Remote address:

8.8.8.8:53

Request

checkappexec.microsoft.com

IN A

Response

checkappexec.microsoft.com

IN CNAME

prod-atm-wds-apprep.trafficmanager.net

prod-atm-wds-apprep.trafficmanager.net

IN CNAME

prod-agic-uw-1.ukwest.cloudapp.azure.com

prod-agic-uw-1.ukwest.cloudapp.azure.com

IN A

51.140.242.104
POST

https://checkappexec.microsoft.com/windows/shell/actions

Remote address:

51.140.242.104:443

Request

POST /windows/shell/actions HTTP/2.0
host: checkappexec.microsoft.com
accept-encoding: gzip, deflate
user-agent: SmartScreen/2814751014982010
authorization: SmartScreenHash eyJhdXRoSWQiOiJhZGZmZjVhZC1lZjllLTQzYTYtYjFhMy0yYWQ0MjY3YWVlZDUiLCJoYXNoIjoia3Jza0FMWUprMkU9Iiwia2V5IjoiaGhCZUdURlZ3RDFRMnZ2bitDODY2Zz09In0=
content-length: 1462
content-type: application/json; charset=utf-8
cache-control: no-cache

Response

HTTP/2.0 200

date: Thu, 06 Mar 2025 21:14:32 GMT
content-type: application/json; charset=utf-8
content-length: 183
server: Kestrel
cache-control: max-age=0, private
request-context: appId=cid-v1:365e21c6-df19-4b1c-a612-b572489ace31
DNS

twinkcam.net

AntivirusPro2017.exe

Remote address:

8.8.8.8:53

Request

twinkcam.net

IN A

Response
DNS

www.antivirusxp-2008.com

Remote address:

8.8.8.8:53

Request

www.antivirusxp-2008.com

IN A

Response
DNS

www.antivirusxp-2008.com

Remote address:

8.8.8.8:53

Request

www.antivirusxp-2008.com

IN A

Response
DNS

i.imgur.com

Remote address:

8.8.8.8:53

Request

i.imgur.com

IN A

Response

i.imgur.com

IN CNAME

ipv4.imgur.map.fastly.net

ipv4.imgur.map.fastly.net

IN A

199.232.192.193

ipv4.imgur.map.fastly.net

IN A

199.232.196.193
DNS

i.imgur.com

Remote address:

8.8.8.8:53

Request

i.imgur.com

IN A
GET

http://i.imgur.com/8ydfdsE.jpg

Remote address:

199.232.192.193:80

Request

GET /8ydfdsE.jpg HTTP/1.1
Accept: */*
Accept-Language: en-us
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: i.imgur.com
Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently

Connection: close
Content-Length: 0
Retry-After: 0
Location: https://i.imgur.com/8ydfdsE.jpg
Accept-Ranges: bytes
Date: Thu, 06 Mar 2025 21:23:23 GMT
X-Served-By: cache-lon420112-LON
X-Cache: HIT
X-Cache-Hits: 0
X-Timer: S1741296203.012473,VS0,VE0
Strict-Transport-Security: max-age=300
Access-Control-Allow-Methods: GET, OPTIONS
Access-Control-Allow-Origin: *
Server: cat factory 1.0
DNS

pomfcat.000webhostapp.com

Remote address:

8.8.8.8:53

Request

pomfcat.000webhostapp.com

IN A

Response
DNS

pomfcat.000webhostapp.com

Remote address:

8.8.8.8:53

Request

pomfcat.000webhostapp.com

IN A

Response
DNS

pomfcat.000webhostapp.com

Remote address:

8.8.8.8:53

Request

pomfcat.000webhostapp.com

IN A

Response
DNS

pomfcat.000webhostapp.com

Remote address:

8.8.8.8:53

Request

pomfcat.000webhostapp.com

IN A
DNS

checkappexec.microsoft.com

Remote address:

8.8.8.8:53

Request

checkappexec.microsoft.com

IN A

Response

checkappexec.microsoft.com

IN CNAME

prod-atm-wds-apprep.trafficmanager.net

prod-atm-wds-apprep.trafficmanager.net

IN CNAME

prod-agic-us-2.uksouth.cloudapp.azure.com

prod-agic-us-2.uksouth.cloudapp.azure.com

IN A

172.165.69.228
DNS

pomfcat.000webhostapp.com

Remote address:

8.8.8.8:53

Request

pomfcat.000webhostapp.com

IN A

Response
DNS

pomfcat.000webhostapp.com

Remote address:

8.8.8.8:53

Request

pomfcat.000webhostapp.com

IN A

Response
DNS

pomfcat.000webhostapp.com

Remote address:

8.8.8.8:53

Request

pomfcat.000webhostapp.com

IN A
DNS

pomfcat.000webhostapp.com

Remote address:

8.8.8.8:53

Request

pomfcat.000webhostapp.com

IN A
DNS

nav.smartscreen.microsoft.com

Remote address:

8.8.8.8:53

Request

nav.smartscreen.microsoft.com

IN A

Response

nav.smartscreen.microsoft.com

IN CNAME

prod-atm-wds-nav.trafficmanager.net

prod-atm-wds-nav.trafficmanager.net

IN CNAME

prod-agic-uw-3.ukwest.cloudapp.azure.com

prod-agic-uw-3.ukwest.cloudapp.azure.com

IN A

51.11.108.188
DNS

youtube.com

Remote address:

8.8.8.8:53

Request

youtube.com

IN A

Response

youtube.com

IN A

142.250.187.206
GET

http://youtube.com/

Remote address:

142.250.187.206:80

Request

GET / HTTP/1.1
Host: youtube.com
Connection: keep-alive
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 301 Moved Permanently

Content-Type: application/binary
X-Content-Type-Options: nosniff
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Thu, 06 Mar 2025 21:23:57 GMT
Location: https://youtube.com/
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
DNS

www.youtube.com

Remote address:

8.8.8.8:53

Request

www.youtube.com

IN A

Response

www.youtube.com

IN CNAME

youtube-ui.l.google.com

youtube-ui.l.google.com

IN A

216.58.204.78

youtube-ui.l.google.com

IN A

142.250.180.14

youtube-ui.l.google.com

IN A

216.58.212.238

youtube-ui.l.google.com

IN A

172.217.169.14

youtube-ui.l.google.com

IN A

142.250.200.46

youtube-ui.l.google.com

IN A

142.250.200.14

youtube-ui.l.google.com

IN A

172.217.169.46

youtube-ui.l.google.com

IN A

142.250.187.206

youtube-ui.l.google.com

IN A

216.58.201.110

youtube-ui.l.google.com

IN A

172.217.16.238

youtube-ui.l.google.com

IN A

216.58.213.14

youtube-ui.l.google.com

IN A

216.58.212.206

youtube-ui.l.google.com

IN A

142.250.187.238

youtube-ui.l.google.com

IN A

142.250.178.14

youtube-ui.l.google.com

IN A

142.250.179.238
DNS

www.youtube.com

Remote address:

8.8.8.8:53

Request

www.youtube.com

IN A
DNS

data-edge.smartscreen.microsoft.com

Remote address:

8.8.8.8:53

Request

data-edge.smartscreen.microsoft.com

IN A

Response

data-edge.smartscreen.microsoft.com

IN CNAME

prod-atm-wds-edge.trafficmanager.net

prod-atm-wds-edge.trafficmanager.net

IN CNAME

prod-agic-uw-1.ukwest.cloudapp.azure.com

prod-agic-uw-1.ukwest.cloudapp.azure.com

IN A

51.140.242.104
DNS

data-edge.smartscreen.microsoft.com

Remote address:

8.8.8.8:53

Request

data-edge.smartscreen.microsoft.com

IN A
DNS

www.antivirusxp-2008.com

Remote address:

8.8.8.8:53

Request

www.antivirusxp-2008.com

IN A

Response

127.0.0.1:64675

firefox.exe
51.91.79.17:80

http://temp.sh/ennfh/trash_malware.zip

http

firefox.exe

778 B
729 B
9
7

HTTP Request

GET http://temp.sh/ennfh/trash_malware.zip

HTTP Response

301
51.91.79.17:80

temp.sh

firefox.exe

190 B
92 B
4
2
51.91.79.17:443

https://temp.sh/ennfh/trash_malware.zip

tls, http

firefox.exe

518.0kB
40.8MB
10860
29194

HTTP Request

GET https://temp.sh/ennfh/trash_malware.zip

HTTP Response

200

HTTP Request

GET https://temp.sh/favicon.ico

HTTP Response

404

HTTP Request

POST https://temp.sh/ennfh/trash_malware.zip

HTTP Response

200
34.149.97.1:443

firefox-api-proxy.cdn.mozilla.net

tls, http2

firefox.exe

1.5kB
4.3kB
12
12
34.120.158.37:443

https://tracking-protection.cdn.mozilla.net/ads-track-digest256/124.0/1709232643

tls, http2

firefox.exe

2.4kB
62.6kB
25
55

HTTP Request

GET https://tracking-protection.cdn.mozilla.net/ads-track-digest256/124.0/1709232643
34.120.158.37:443

https://tracking-protection.cdn.mozilla.net/social-track-digest256/124.0/1716839516

tls, http2

firefox.exe

2.4kB
3.9kB
13
11

HTTP Request

GET https://tracking-protection.cdn.mozilla.net/social-track-digest256/124.0/1716839516
34.120.158.37:443

https://tracking-protection.cdn.mozilla.net/analytics-track-digest256/124.0/1709232643

tls, http2

firefox.exe

2.8kB
15.2kB
21
22

HTTP Request

GET https://tracking-protection.cdn.mozilla.net/analytics-track-digest256/124.0/1709232643
34.120.158.37:443

https://tracking-protection.cdn.mozilla.net/content-track-digest256/124.0/1709232643

tls, http2

firefox.exe

2.6kB
10.4kB
16
16

HTTP Request

GET https://tracking-protection.cdn.mozilla.net/content-track-digest256/124.0/1709232643
34.120.158.37:443

https://tracking-protection.cdn.mozilla.net/mozstd-trackwhite-digest256/124.0/1716839516

tls, http2

firefox.exe

7.3kB
313.0kB
119
232

HTTP Request

GET https://tracking-protection.cdn.mozilla.net/mozstd-trackwhite-digest256/124.0/1716839516
127.0.0.1:64683

firefox.exe
34.120.158.37:443

https://tracking-protection.cdn.mozilla.net/google-trackwhite-digest256/124.0/1709232643

tls, http2

firefox.exe

16.5kB
1.5MB
318
1076

HTTP Request

GET https://tracking-protection.cdn.mozilla.net/google-trackwhite-digest256/124.0/1709232643
34.120.158.37:443

https://tracking-protection.cdn.mozilla.net/base-fingerprinting-track-digest256/124.0/1709232643

tls, http2

firefox.exe

2.4kB
5.8kB
13
14

HTTP Request

GET https://tracking-protection.cdn.mozilla.net/base-fingerprinting-track-digest256/124.0/1709232643
34.120.158.37:443

https://tracking-protection.cdn.mozilla.net/base-cryptomining-track-digest256/124.0/1709232643

tls, http2

firefox.exe

2.4kB
4.1kB
13
13

HTTP Request

GET https://tracking-protection.cdn.mozilla.net/base-cryptomining-track-digest256/124.0/1709232643
34.120.158.37:443

https://tracking-protection.cdn.mozilla.net/social-tracking-protection-facebook-digest256/124.0/1709232643

tls, http2

firefox.exe

2.5kB
2.2kB
13
10

HTTP Request

GET https://tracking-protection.cdn.mozilla.net/social-tracking-protection-facebook-digest256/124.0/1709232643
34.120.158.37:443

https://tracking-protection.cdn.mozilla.net/social-tracking-protection-linkedin-digest256/124.0/1709232643

tls, http2

firefox.exe

2.5kB
1.8kB
13
10

HTTP Request

GET https://tracking-protection.cdn.mozilla.net/social-tracking-protection-linkedin-digest256/124.0/1709232643
34.120.158.37:443

https://tracking-protection.cdn.mozilla.net/social-tracking-protection-twitter-digest256/124.0/1716839516

tls, http2

firefox.exe

2.5kB
2.0kB
13
12

HTTP Request

GET https://tracking-protection.cdn.mozilla.net/social-tracking-protection-twitter-digest256/124.0/1716839516
34.120.158.37:443

https://tracking-protection.cdn.mozilla.net/base-email-track-digest256/124.0/1709232643

tls, http2

firefox.exe

2.6kB
9.0kB
17
16

HTTP Request

GET https://tracking-protection.cdn.mozilla.net/base-email-track-digest256/124.0/1709232643
34.120.158.37:443

https://tracking-protection.cdn.mozilla.net/content-email-track-digest256/124.0/1709232643

tls, http2

firefox.exe

2.5kB
11.0kB
14
18

HTTP Request

GET https://tracking-protection.cdn.mozilla.net/content-email-track-digest256/124.0/1709232643
23.55.161.185:80

http://ciscobinary.openh264.org/openh264-win64-31c4d2e4a037526fd30d4e5c39f60885986cf865.zip

http

firefox.exe

7.6kB
506.3kB
158
366

HTTP Request

GET http://ciscobinary.openh264.org/openh264-win64-31c4d2e4a037526fd30d4e5c39f60885986cf865.zip

HTTP Response

200
172.217.16.238:443

https://redirector.gvt1.com/edgedl/widevine-cdm/4.10.2710.0-win-x64.zip

tls, http2

firefox.exe

1.6kB
8.9kB
17
21

HTTP Request

GET https://redirector.gvt1.com/edgedl/widevine-cdm/4.10.2710.0-win-x64.zip
74.125.168.232:443

https://r3---sn-aigzrnsl.gvt1.com/edgedl/widevine-cdm/4.10.2710.0-win-x64.zip?cms_redirect=yes&met=1741295527,&mh=R8&mip=212.102.63.147&mm=28&mn=sn-aigzrnsl&ms=nvh&mt=1741295055&mv=m&mvi=3&pl=24&rmhost=r2---sn-aigzrnsl.gvt1.com&rms=nvh,nvh&shardbypass=sd&smhost=r2---sn-aigzrn7s.gvt1.com

tls, http

firefox.exe

265.3kB
14.9MB
5208
10705

HTTP Request

GET https://r3---sn-aigzrnsl.gvt1.com/edgedl/widevine-cdm/4.10.2710.0-win-x64.zip?cms_redirect=yes&met=1741295527,&mh=R8&mip=212.102.63.147&mm=28&mn=sn-aigzrnsl&ms=nvh&mt=1741295055&mv=m&mvi=3&pl=24&rmhost=r2---sn-aigzrnsl.gvt1.com&rms=nvh,nvh&shardbypass=sd&smhost=r2---sn-aigzrn7s.gvt1.com

HTTP Response

200
172.217.16.238:443

https://redirector.gvt1.com/edgedl/widevine-cdm/4.10.2710.0-win-x64.zip

tls, http2

firefox.exe

1.8kB
9.0kB
21
21

HTTP Request

GET https://redirector.gvt1.com/edgedl/widevine-cdm/4.10.2710.0-win-x64.zip
74.125.168.232:443

https://r3---sn-aigzrnsl.gvt1.com/edgedl/widevine-cdm/4.10.2710.0-win-x64.zip?cms_redirect=yes&met=1741295531,&mh=R8&mip=212.102.63.147&mm=28&mn=sn-aigzrnsl&ms=nvh&mt=1741295055&mv=m&mvi=3&pl=24&rmhost=r2---sn-aigzrnsl.gvt1.com&rms=nvh,nvh&shardbypass=sd&smhost=r2---sn-aigzrn7s.gvt1.com

tls, http

firefox.exe

176.4kB
8.1MB
2932
5826

HTTP Request

GET https://r3---sn-aigzrnsl.gvt1.com/edgedl/widevine-cdm/4.10.2710.0-win-x64.zip?cms_redirect=yes&met=1741295531,&mh=R8&mip=212.102.63.147&mm=28&mn=sn-aigzrnsl&ms=nvh&mt=1741295055&mv=m&mvi=3&pl=24&rmhost=r2---sn-aigzrnsl.gvt1.com&rms=nvh,nvh&shardbypass=sd&smhost=r2---sn-aigzrn7s.gvt1.com

HTTP Response

200
51.140.242.104:443

https://checkappexec.microsoft.com/windows/shell/actions

tls, http2

3.3kB
7.9kB
25
19

HTTP Request

POST https://checkappexec.microsoft.com/windows/shell/actions

HTTP Response

200
199.232.192.193:80

http://i.imgur.com/8ydfdsE.jpg

http

968 B
645 B
7
5

HTTP Request

GET http://i.imgur.com/8ydfdsE.jpg

HTTP Response

301
199.232.192.193:443

i.imgur.com

tls

3.8kB
77.6kB
67
65
172.165.69.228:443

checkappexec.microsoft.com

tls

4.6kB
9.7kB
23
18
51.11.108.188:443

nav.smartscreen.microsoft.com

tls

11.8kB
9.1kB
29
15
2.18.66.72:443

www.bing.com

tls

2.0kB
931 B
15
8
2.18.66.72:443

www.bing.com

tls

1.1kB
5.1kB
11
10
2.18.66.72:443

www.bing.com

tls

3.5kB
11.9kB
25
24
2.18.66.72:443

www.bing.com

tls

1.5kB
1.8kB
16
9
2.18.66.72:443

www.bing.com

tls

1.6kB
5.1kB
11
10
2.18.66.72:443

www.bing.com

tls

4.5kB
5.1kB
18
11
142.250.187.206:80

youtube.com

340 B
184 B
7
4
142.250.187.206:80

youtube.com

340 B
184 B
7
4
142.250.187.206:80

http://youtube.com/

http

817 B
998 B
8
6

HTTP Request

GET http://youtube.com/

HTTP Response

301
142.250.187.206:443

youtube.com

tls

4.9kB
88.8kB
57
77
51.140.242.104:443

data-edge.smartscreen.microsoft.com

tls

1.7kB
10.9kB
12
12
51.140.242.104:443

data-edge.smartscreen.microsoft.com

tls

738 B
144 B
7
3
51.140.242.104:443

data-edge.smartscreen.microsoft.com

tls

13.0kB
486.3kB
248
353

8.8.8.8:53

temp.sh

dns

firefox.exe

53 B
69 B
1
1

DNS Request

temp.sh

DNS Response

51.91.79.17
8.8.8.8:53

temp.sh

dns

firefox.exe

53 B
69 B
1
1

DNS Request

temp.sh

DNS Response

51.91.79.17
8.8.8.8:53

spocs.getpocket.com

dns

firefox.exe

65 B
131 B
1
1

DNS Request

spocs.getpocket.com

DNS Response

34.117.188.166
8.8.8.8:53

firefox-api-proxy.cdn.mozilla.net

dns

firefox.exe

79 B
160 B
1
1

DNS Request

firefox-api-proxy.cdn.mozilla.net

DNS Response

34.149.97.1
8.8.8.8:53

temp.sh

dns

firefox.exe

53 B
108 B
1
1

DNS Request

temp.sh
34.149.97.1:443

firefox-api-proxy.cdn.mozilla.net

https

firefox.exe

2.1kB
12.5kB
7
13
8.8.8.8:53

prod.content-signature-chains.prod.webservices.mozgcp.net

dns

firefox.exe

103 B
119 B
1
1

DNS Request

prod.content-signature-chains.prod.webservices.mozgcp.net

DNS Response

34.160.144.191
8.8.8.8:53

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

dns

firefox.exe

100 B
116 B
1
1

DNS Request

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

DNS Response

34.149.97.1
8.8.8.8:53

prod.ads.prod.webservices.mozgcp.net

dns

firefox.exe

82 B
98 B
1
1

DNS Request

prod.ads.prod.webservices.mozgcp.net

DNS Response

34.117.188.166
8.8.8.8:53

shavar.prod.mozaws.net

dns

firefox.exe

68 B
116 B
1
1

DNS Request

shavar.prod.mozaws.net

DNS Response

44.229.113.109

52.27.153.171

44.231.118.238
8.8.8.8:53

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

dns

firefox.exe

100 B
128 B
1
1

DNS Request

firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net

DNS Response

2600:1901:0:74e4::
8.8.8.8:53

prod.content-signature-chains.prod.webservices.mozgcp.net

dns

firefox.exe

103 B
131 B
1
1

DNS Request

prod.content-signature-chains.prod.webservices.mozgcp.net

DNS Response

2600:1901:0:92a9::
8.8.8.8:53

prod.remote-settings.prod.webservices.mozgcp.net

dns

firefox.exe

94 B
110 B
1
1

DNS Request

prod.remote-settings.prod.webservices.mozgcp.net

DNS Response

34.149.100.209
8.8.8.8:53

prod.ads.prod.webservices.mozgcp.net

dns

firefox.exe

82 B
175 B
1
1

DNS Request

prod.ads.prod.webservices.mozgcp.net
8.8.8.8:53

shavar.prod.mozaws.net

dns

firefox.exe

68 B
153 B
1
1

DNS Request

shavar.prod.mozaws.net
8.8.8.8:53

prod.remote-settings.prod.webservices.mozgcp.net

dns

firefox.exe

94 B
122 B
1
1

DNS Request

prod.remote-settings.prod.webservices.mozgcp.net

DNS Response

2600:1901:0:c47c::
8.8.8.8:53

tracking-protection.cdn.mozilla.net

dns

firefox.exe

81 B
143 B
1
1

DNS Request

tracking-protection.cdn.mozilla.net

DNS Response

34.120.158.37
8.8.8.8:53

tracking-protection.prod.mozaws.net

dns

firefox.exe

81 B
97 B
1
1

DNS Request

tracking-protection.prod.mozaws.net

DNS Response

34.120.158.37
8.8.8.8:53

tracking-protection.prod.mozaws.net

dns

firefox.exe

81 B
166 B
1
1

DNS Request

tracking-protection.prod.mozaws.net
8.8.8.8:53

tracking-protection.cdn.mozilla.net

dns

firefox.exe

81 B
143 B
1
1

DNS Request

tracking-protection.cdn.mozilla.net

DNS Response

34.120.158.37
8.8.8.8:53

location.services.mozilla.com

dns

firefox.exe

75 B
153 B
1
1

DNS Request

location.services.mozilla.com

DNS Response

35.190.72.216
8.8.8.8:53

prod.balrog.prod.cloudops.mozgcp.net

dns

firefox.exe

82 B
98 B
1
1

DNS Request

prod.balrog.prod.cloudops.mozgcp.net

DNS Response

35.244.181.201
8.8.8.8:53

prod.classify-client.prod.webservices.mozgcp.net

dns

firefox.exe

94 B
110 B
1
1

DNS Request

prod.classify-client.prod.webservices.mozgcp.net

DNS Response

35.190.72.216
35.190.72.216:443

prod.classify-client.prod.webservices.mozgcp.net

https

firefox.exe

2.1kB
4.6kB
8
8
8.8.8.8:53

prod.balrog.prod.cloudops.mozgcp.net

dns

firefox.exe

82 B
110 B
1
1

DNS Request

prod.balrog.prod.cloudops.mozgcp.net

DNS Response

2600:1901:0:5133::
8.8.8.8:53

prod.classify-client.prod.webservices.mozgcp.net

dns

firefox.exe

94 B
187 B
1
1

DNS Request

prod.classify-client.prod.webservices.mozgcp.net
8.8.8.8:53

ciscobinary.openh264.org

dns

firefox.exe

70 B
286 B
1
1

DNS Request

ciscobinary.openh264.org

DNS Response

23.55.161.185

23.55.161.211
8.8.8.8:53

redirector.gvt1.com

dns

firefox.exe

65 B
81 B
1
1

DNS Request

redirector.gvt1.com

DNS Response

172.217.16.238
8.8.8.8:53

a19.dscg10.akamai.net

dns

firefox.exe

67 B
99 B
1
1

DNS Request

a19.dscg10.akamai.net

DNS Response

23.55.161.211

23.55.161.185
8.8.8.8:53

redirector.gvt1.com

dns

firefox.exe

65 B
81 B
1
1

DNS Request

redirector.gvt1.com

DNS Response

172.217.16.238
8.8.8.8:53

a19.dscg10.akamai.net

dns

firefox.exe

67 B
123 B
1
1

DNS Request

a19.dscg10.akamai.net

DNS Response

2a02:26f0:1700:f::1737:a1d3

2a02:26f0:1700:f::1737:a1b9
8.8.8.8:53

redirector.gvt1.com

dns

firefox.exe

65 B
93 B
1
1

DNS Request

redirector.gvt1.com

DNS Response

2a00:1450:4009:821::200e
172.217.16.238:443

redirector.gvt1.com

https

firefox.exe

2.1kB
9.3kB
10
10
8.8.8.8:53

r3---sn-aigzrnsl.gvt1.com

dns

firefox.exe

71 B
116 B
1
1

DNS Request

r3---sn-aigzrnsl.gvt1.com

DNS Response

74.125.168.232
8.8.8.8:53

r3.sn-aigzrnsl.gvt1.com

dns

firefox.exe

69 B
85 B
1
1

DNS Request

r3.sn-aigzrnsl.gvt1.com

DNS Response

74.125.168.232
8.8.8.8:53

r3.sn-aigzrnsl.gvt1.com

dns

firefox.exe

69 B
97 B
1
1

DNS Request

r3.sn-aigzrnsl.gvt1.com

DNS Response

2a00:1450:4009:15::8
74.125.168.232:443

r3.sn-aigzrnsl.gvt1.com

https

firefox.exe

1.8kB
5.9kB
6
7
8.8.8.8:53

checkappexec.microsoft.com

dns

72 B
191 B
1
1

DNS Request

checkappexec.microsoft.com

DNS Response

51.140.242.104
8.8.8.8:53

twinkcam.net

dns

AntivirusPro2017.exe

58 B
131 B
1
1

DNS Request

twinkcam.net
8.8.8.8:53

www.antivirusxp-2008.com

dns

140 B
286 B
2
2

DNS Request

www.antivirusxp-2008.com

DNS Request

www.antivirusxp-2008.com
8.8.8.8:53

i.imgur.com

dns

114 B
128 B
2
1

DNS Request

i.imgur.com

DNS Request

i.imgur.com

DNS Response

199.232.192.193

199.232.196.193
8.8.8.8:53

pomfcat.000webhostapp.com

dns

284 B
213 B
4
3

DNS Request

pomfcat.000webhostapp.com

DNS Request

pomfcat.000webhostapp.com

DNS Request

pomfcat.000webhostapp.com

DNS Request

pomfcat.000webhostapp.com
8.8.8.8:53

checkappexec.microsoft.com

dns

72 B
192 B
1
1

DNS Request

checkappexec.microsoft.com

DNS Response

172.165.69.228
8.8.8.8:53

pomfcat.000webhostapp.com

dns

284 B
142 B
4
2

DNS Request

pomfcat.000webhostapp.com

DNS Request

pomfcat.000webhostapp.com

DNS Request

pomfcat.000webhostapp.com

DNS Request

pomfcat.000webhostapp.com
8.8.8.8:53

nav.smartscreen.microsoft.com

dns

75 B
191 B
1
1

DNS Request

nav.smartscreen.microsoft.com

DNS Response

51.11.108.188
224.0.0.251:5353

574 B
9
8.8.8.8:53

youtube.com

dns

57 B
73 B
1
1

DNS Request

youtube.com

DNS Response

142.250.187.206
8.8.8.8:53

www.youtube.com

dns

122 B
335 B
2
1

DNS Request

www.youtube.com

DNS Request

www.youtube.com

DNS Response

216.58.204.78

142.250.180.14

216.58.212.238

172.217.169.14

142.250.200.46

142.250.200.14

172.217.169.46

142.250.187.206

216.58.201.110

172.217.16.238

216.58.213.14

216.58.212.206

142.250.187.238

142.250.178.14

142.250.179.238
8.8.8.8:53

data-edge.smartscreen.microsoft.com

dns

162 B
198 B
2
1

DNS Request

data-edge.smartscreen.microsoft.com

DNS Request

data-edge.smartscreen.microsoft.com

DNS Response

51.140.242.104
8.8.8.8:53

www.antivirusxp-2008.com

dns

70 B
143 B
1
1

DNS Request

www.antivirusxp-2008.com

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

AppInit DLLs

T1546.010

Power Settings

T1653

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

AppInit DLLs

T1546.010

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery