redline | a5ee1f7fb3358883a72e2f3f86039f6b325ed9e18b8eeca095ae073faccb96f6

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components	INSTALLER.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components	INSTALLER.exe

Downloads MZ/PE file 4 IoCs

flow	pid	Process
474	5376	firefox.exe
218	5376	firefox.exe
433	5376	firefox.exe
779	5376	firefox.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Possible privilege escalation attempt 64 IoCs

exploit

pid	Process
4480	Process not Found
6000	Process not Found
4744	Process not Found
4664	icacls.exe
2008	Process not Found
6844	Process not Found
2932	takeown.exe
3356	icacls.exe
4740	Process not Found
6464	Process not Found
5968	Process not Found
4556	Process not Found
4116	Process not Found
6740	Process not Found
6284	icacls.exe
5012	icacls.exe
116	takeown.exe
2564	Process not Found
5756	Process not Found
6444	Process not Found
6724	Process not Found
3756	Process not Found
1068	Process not Found
5984	Process not Found
2696	Process not Found
1232	Process not Found
2108	Process not Found
3860	Process not Found
4116	Process not Found
5724	Process not Found
6960	Process not Found
5680	icacls.exe
6860	Process not Found
3616	Process not Found
1924	Process not Found
4684	icacls.exe
4412	Process not Found
2880	Process not Found
5444	Process not Found
6336	Process not Found
2580	Process not Found
3784	Process not Found
2248	Process not Found
484	Process not Found
6300	Process not Found
1436	Process not Found
4632	Process not Found
6164	Process not Found
4040	Process not Found
2580	Process not Found
5096	Process not Found
3040	Process not Found
3748	Process not Found
5780	icacls.exe
6308	icacls.exe
4596	Process not Found
4536	Process not Found
6464	Process not Found
4440	Process not Found
2460	Process not Found
6080	Process not Found
6488	takeown.exe
1704	Process not Found
2540	Process not Found

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation	esign-app.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation	esign-app.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation	esign-app.tmp

Executes dropped EXE 25 IoCs

pid	Process
4776	esign-app.exe
4584	esign-app.tmp
1540	esign-app.exe
3136	esign-app.tmp
1448	needmoney.exe
5056	svchost015.exe
4844	crypted.exe
4856	needmoney.exe
1972	esign-app.exe
3504	esign-app.tmp
1704	esign-app.exe
4320	esign-app.tmp
664	svchost015.exe
2292	esign-app.exe
2028	esign-app.tmp
5152	esign-app.exe
3376	esign-app.tmp
6252	needmoney.exe
6396	svchost015.exe
6448	crypted.exe
6192	Bonzify.exe
7108	INSTALLER.exe
6292	AgentSvr.exe
5868	INSTALLER.exe
5912	AgentSvr.exe

Loads dropped DLL 41 IoCs

pid	Process
4584	esign-app.tmp
4584	esign-app.tmp
3136	esign-app.tmp
3136	esign-app.tmp
1480	regsvr32.exe
3216	regsvr32.exe
3092	regsvr32.EXE
1080	regsvr32.EXE
3504	esign-app.tmp
3504	esign-app.tmp
4320	esign-app.tmp
4320	esign-app.tmp
1972	regsvr32.exe
480	regsvr32.exe
2028	esign-app.tmp
2028	esign-app.tmp
3376	esign-app.tmp
3376	esign-app.tmp
2292	regsvr32.exe
456	regsvr32.exe
6692	regsvr32.EXE
456	regsvr32.EXE
3344	regsvr32.EXE
6576	regsvr32.EXE
7108	INSTALLER.exe
5072	regsvr32.exe
6188	regsvr32.exe
1928	regsvr32.exe
6432	regsvr32.exe
5444	regsvr32.exe
6224	regsvr32.exe
1184	regsvr32.exe
5868	INSTALLER.exe
2068	regsvr32.exe
2068	regsvr32.exe
6772	regsvr32.exe
6192	Bonzify.exe
5912	AgentSvr.exe
5912	AgentSvr.exe
5912	AgentSvr.exe
6624	regsvr32.EXE

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5560	icacls.exe
6464	icacls.exe
1396	icacls.exe
852	Process not Found
6740	Process not Found
2288	Process not Found
1212	Process not Found
4316	takeown.exe
6848	Process not Found
4012	Process not Found
6640	Process not Found
756	icacls.exe
4684	Process not Found
6348	Process not Found
60	Process not Found
6296	Process not Found
3740	Process not Found
6112	Process not Found
5712	Process not Found
6928	Process not Found
5152	Process not Found
1120	Process not Found
4708	Process not Found
4296	Process not Found
6904	Process not Found
6116	Process not Found
5096	Process not Found
6284	takeown.exe
6844	Process not Found
6828	Process not Found
4780	Process not Found
5204	Process not Found
5552	Process not Found
1348	icacls.exe
6484	icacls.exe
6452	takeown.exe
6392	takeown.exe
6032	Process not Found
2008	Process not Found
6484	Process not Found
948	Process not Found
3136	Process not Found
2540	Process not Found
4960	Process not Found
1620	Process not Found
756	icacls.exe
5132	Process not Found
5576	icacls.exe
4820	icacls.exe
3468	Process not Found
7024	Process not Found
4404	Process not Found
1664	Process not Found
6592	icacls.exe
7056	Process not Found
6172	Process not Found
2452	Process not Found
2348	Process not Found
5348	Process not Found
1464	Process not Found
6060	Process not Found
2068	icacls.exe
4620	icacls.exe
2312	Process not Found

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet"	INSTALLER.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5072	powershell.exe
5072	powershell.exe
1348	powershell.exe
5448	powershell.exe
2292	powershell.exe
1240	powershell.exe
6552	powershell.exe
5560	powershell.exe
2516	Process not Found
3268	powershell.exe
5776	powershell.exe
5208	powershell.exe
6708	powershell.exe
6696	Process not Found

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

defense_evasion privilege_escalation

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\E:	explorer.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 16 IoCs

Web Service

T1102

flow	ioc
446	pastebin.com
447	pastebin.com
778	raw.githubusercontent.com
971	camo.githubusercontent.com
973	camo.githubusercontent.com
780	raw.githubusercontent.com
781	raw.githubusercontent.com
972	camo.githubusercontent.com
991	drive.google.com
1076	raw.githubusercontent.com
779	raw.githubusercontent.com
987	drive.google.com
988	drive.google.com
974	camo.githubusercontent.com
989	drive.google.com
990	drive.google.com

Power Settings 1 TTPs 6 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
4664	cmd.exe
4316	takeown.exe
3496	icacls.exe
3996	Process not Found
4992	Process not Found
5012	Process not Found

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SETC68C.tmp	INSTALLER.exe
File created	C:\Windows\SysWOW64\SETC68C.tmp	INSTALLER.exe
File opened for modification	C:\Windows\SysWOW64\msvcp50.dll	INSTALLER.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1448 set thread context of 5056	1448	needmoney.exe	154
PID 4844 set thread context of 5960	4844	crypted.exe	169
PID 4856 set thread context of 664	4856	needmoney.exe	176
PID 6252 set thread context of 6396	6252	needmoney.exe	186
PID 6448 set thread context of 6504	6448	crypted.exe	189

Drops file in Windows directory 56 IoCs

description	ioc	Process
File opened for modification	C:\Windows\msagent\mslwvtts.dll	INSTALLER.exe
File created	C:\Windows\lhsp\tv\SETC687.tmp	INSTALLER.exe
File created	C:\Windows\lhsp\tv\SETC688.tmp	INSTALLER.exe
File created	C:\Windows\fonts\SETC68A.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentSvr.exe	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentMPx.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETC3CC.tmp	INSTALLER.exe
File opened for modification	C:\Windows\help\SETC3D1.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\tv_enua.dll	INSTALLER.exe
File opened for modification	C:\Windows\fonts\andmoipa.ttf	INSTALLER.exe
File opened for modification	C:\Windows\INF\SETC68B.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentCtl.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETC3C8.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentDPv.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETC3C9.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETC3C9.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETC3CC.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETC3CD.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETC3D0.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETC3B8.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETC3CA.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentSR.dll	INSTALLER.exe
File created	C:\Windows\INF\SETC3CF.tmp	INSTALLER.exe
File opened for modification	C:\Windows\INF\agtinst.inf	INSTALLER.exe
File created	C:\Windows\help\SETC3D1.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\intl\SETC3E2.tmp	INSTALLER.exe
File created	C:\Windows\msagent\intl\SETC3E2.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETC3CB.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETC3CE.tmp	INSTALLER.exe
File opened for modification	C:\Windows\INF\SETC3CF.tmp	INSTALLER.exe
File opened for modification	C:\Windows\help\Agt0409.hlp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\help\SETC689.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\help\tv_enua.hlp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETC3B8.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentDp2.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETC3CE.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\intl\Agt0409.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETC3E3.tmp	INSTALLER.exe
File created	C:\Windows\msagent\SETC3E3.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgtCtl15.tlb	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\SETC688.tmp	INSTALLER.exe
File created	C:\Windows\executables.bin	Bonzify.exe
File opened for modification	C:\Windows\msagent\AgentAnm.dll	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETC3D0.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\tvenuax.dll	INSTALLER.exe
File opened for modification	C:\Windows\fonts\SETC68A.tmp	INSTALLER.exe
File created	C:\Windows\INF\SETC68B.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETC3CD.tmp	INSTALLER.exe
File opened for modification	C:\Windows\lhsp\tv\SETC687.tmp	INSTALLER.exe
File created	C:\Windows\lhsp\help\SETC689.tmp	INSTALLER.exe
File opened for modification	C:\Windows\INF\tv_enua.inf	INSTALLER.exe
File created	C:\Windows\msagent\chars\Bonzi.acs	Bonzify.exe
File created	C:\Windows\msagent\SETC3C8.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETC3CA.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\SETC3CB.tmp	INSTALLER.exe
File opened for modification	C:\Windows\msagent\AgentPsh.dll	INSTALLER.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 4 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\esign-app.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\needmoney.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\crypted.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Bonzify.exe:Zone.Identifier	firefox.exe

Access Token Manipulation: Create Process with Token 1 TTPs 2 IoCs

Create Process with Token

T1134.002

pid	Process
4720	cmd.exe
6592	Process not Found

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	esign-app.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 9 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
400	cmd.exe
3160	Process not Found
6428	Process not Found
6472	cmd.exe
6492	Process not Found
3640	Process not Found
3804	Process not Found
2820	Process not Found
4820	cmd.exe

Checks SCSI registry key(s) 3 TTPs 39 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
6252	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

defense_evasion spyware trojan

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE8EF600-2F82-11D1-ACAC-00C04FD97575}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lwv	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}\1.5\ = "Microsoft Agent Control 1.5"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C85-7B81-11D0-AC5F-00C04FD97575}\TypeLib	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C8B-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AgentSvr.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C80-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08C75162-3C9C-11D1-91FE-00C04FD701A5}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}"	AgentSvr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B77181C-D3EF-11D1-8500-00C04FA34A14}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BDF-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31E-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0913412-3B44-11D1-ACBA-00C04FD97575}	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C89-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93CA0-7B81-11D0-AC5F-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C8B-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AgentSvr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	firefox.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BE8-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BDB-7DE6-11D0-91FE-00C04FD701A5}\ = "IAgentCtlAudioObject"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64DF2F-88E4-11D0-9E87-00C04FD7081F}\ = "Microsoft Agent DocFile Provider 1.5"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD301-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C87-7B81-11D0-AC5F-00C04FD97575}\TypeLib	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D7A6D440-8872-11D1-9EC6-00C04FD7081F}\TypeLib	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BD9-7DE6-11D0-91FE-00C04FD701A5}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BD4-7DE6-11D0-91FE-00C04FD701A5}\ = "_AgentEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31E-5C6E-11D1-9EC1-00C04FD7081F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD2FC-5C6E-11D1-9EC1-00C04FD7081F}\LocalServer32	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C91-7B81-11D0-AC5F-00C04FD97575}\TypeLib\Version = "2.0"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C83-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C89-7B81-11D0-AC5F-00C04FD97575}\TypeLib\Version = "2.0"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93CA0-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BE1-7DE6-11D0-91FE-00C04FD701A5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8563FF20-8ECC-11D1-B9B4-00C04FD97575}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Character2.2\shellex\PropertySheetHandlers\CharacterPage	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A7B93C73-7B81-11D0-AC5F-00C04FD97575}\2.0\FLAGS\ = "0"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C91-7B81-11D0-AC5F-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0913412-3B44-11D1-ACBA-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C8D-7B81-11D0-AC5F-00C04FD97575}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48D12BA0-5B77-11D1-9EC1-00C04FD7081F}\ = "IAgentEx"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BD9-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95A893C3-543A-11D0-AC45-00C04FD97575}\TreatAs\ = "{D45FD31C-5C6E-11D1-9EC1-00C04FD7081F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C80-7B81-11D0-AC5F-00C04FD97575}\TypeLib	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C85-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C87-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48D12BA0-5B77-11D1-9EC1-00C04FD7081F}\TypeLib\ = "{A7B93C73-7B81-11D0-AC5F-00C04FD97575}"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D0ECB23-9968-11D0-AC6E-00C04FD97575}\ = "IAgentCommandWindow"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0913410-3B44-11D1-ACBA-00C04FD97575}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BDD-7DE6-11D0-91FE-00C04FD701A5}\ = "IAgentCtlSpeechInput"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BD4-7DE6-11D0-91FE-00C04FD701A5}\ = "_AgentEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4BAC124B-78C8-11D1-B9A8-00C04FD97575}\ = "Agent Custom Proxy Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C8B-7B81-11D0-AC5F-00C04FD97575}\ = "IAgentPropertySheet"	AgentSvr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BE1-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98BBE491-2EED-11D1-ACAC-00C04FD97575}	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08C75162-3C9C-11D1-91FE-00C04FD701A5}\TypeLib	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BD3-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

NTFS ADS 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\esign-app.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\needmoney.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\crypted.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Bonzify.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\whisper.x64:Zone.Identifier	firefox.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
6548	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5272	mspaint.exe
5272	mspaint.exe
3136	esign-app.tmp
3136	esign-app.tmp
3216	regsvr32.exe
3216	regsvr32.exe
3268	powershell.exe
3268	powershell.exe
3268	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
3216	regsvr32.exe
3216	regsvr32.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
3092	regsvr32.EXE

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
1884	taskmgr.exe
3216	regsvr32.exe
5152	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5376	firefox.exe
Token: SeDebugPrivilege	5376	firefox.exe
Token: SeDebugPrivilege	5376	firefox.exe
Token: SeDebugPrivilege	5376	firefox.exe
Token: SeDebugPrivilege	5376	firefox.exe
Token: SeDebugPrivilege	5376	firefox.exe
Token: SeDebugPrivilege	5376	firefox.exe
Token: SeDebugPrivilege	3268	powershell.exe
Token: SeIncreaseQuotaPrivilege	3268	powershell.exe
Token: SeSecurityPrivilege	3268	powershell.exe
Token: SeTakeOwnershipPrivilege	3268	powershell.exe
Token: SeLoadDriverPrivilege	3268	powershell.exe
Token: SeSystemProfilePrivilege	3268	powershell.exe
Token: SeSystemtimePrivilege	3268	powershell.exe
Token: SeProfSingleProcessPrivilege	3268	powershell.exe
Token: SeIncBasePriorityPrivilege	3268	powershell.exe
Token: SeCreatePagefilePrivilege	3268	powershell.exe
Token: SeBackupPrivilege	3268	powershell.exe
Token: SeRestorePrivilege	3268	powershell.exe
Token: SeShutdownPrivilege	3268	powershell.exe
Token: SeDebugPrivilege	3268	powershell.exe
Token: SeSystemEnvironmentPrivilege	3268	powershell.exe
Token: SeRemoteShutdownPrivilege	3268	powershell.exe
Token: SeUndockPrivilege	3268	powershell.exe
Token: SeManageVolumePrivilege	3268	powershell.exe
Token: SeImpersonatePrivilege	3268	powershell.exe
Token: 33	3268	powershell.exe
Token: 34	3268	powershell.exe
Token: 35	3268	powershell.exe
Token: 36	3268	powershell.exe
Token: SeDebugPrivilege	5072	powershell.exe
Token: SeIncreaseQuotaPrivilege	5072	powershell.exe
Token: SeSecurityPrivilege	5072	powershell.exe
Token: SeTakeOwnershipPrivilege	5072	powershell.exe
Token: SeLoadDriverPrivilege	5072	powershell.exe
Token: SeSystemProfilePrivilege	5072	powershell.exe
Token: SeSystemtimePrivilege	5072	powershell.exe
Token: SeProfSingleProcessPrivilege	5072	powershell.exe
Token: SeIncBasePriorityPrivilege	5072	powershell.exe
Token: SeCreatePagefilePrivilege	5072	powershell.exe
Token: SeBackupPrivilege	5072	powershell.exe
Token: SeRestorePrivilege	5072	powershell.exe
Token: SeShutdownPrivilege	5072	powershell.exe
Token: SeDebugPrivilege	5072	powershell.exe
Token: SeSystemEnvironmentPrivilege	5072	powershell.exe
Token: SeRemoteShutdownPrivilege	5072	powershell.exe
Token: SeUndockPrivilege	5072	powershell.exe
Token: SeManageVolumePrivilege	5072	powershell.exe
Token: SeImpersonatePrivilege	5072	powershell.exe
Token: 33	5072	powershell.exe
Token: 34	5072	powershell.exe
Token: 35	5072	powershell.exe
Token: 36	5072	powershell.exe
Token: SeIncreaseQuotaPrivilege	5072	powershell.exe
Token: SeSecurityPrivilege	5072	powershell.exe
Token: SeTakeOwnershipPrivilege	5072	powershell.exe
Token: SeLoadDriverPrivilege	5072	powershell.exe
Token: SeSystemProfilePrivilege	5072	powershell.exe
Token: SeSystemtimePrivilege	5072	powershell.exe
Token: SeProfSingleProcessPrivilege	5072	powershell.exe
Token: SeIncBasePriorityPrivilege	5072	powershell.exe
Token: SeCreatePagefilePrivilege	5072	powershell.exe
Token: SeBackupPrivilege	5072	powershell.exe
Token: SeRestorePrivilege	5072	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
3136	esign-app.tmp
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe
1884	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
5272	mspaint.exe
5272	mspaint.exe
5272	mspaint.exe
5272	mspaint.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe
3060	firefox.exe
3216	regsvr32.exe
5376	firefox.exe
5376	firefox.exe
5376	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 5376	2456	firefox.exe	95
PID 2456 wrote to memory of 5376	2456	firefox.exe	95
PID 2456 wrote to memory of 5376	2456	firefox.exe	95
PID 2456 wrote to memory of 5376	2456	firefox.exe	95
PID 2456 wrote to memory of 5376	2456	firefox.exe	95
PID 2456 wrote to memory of 5376	2456	firefox.exe	95
PID 2456 wrote to memory of 5376	2456	firefox.exe	95
PID 2456 wrote to memory of 5376	2456	firefox.exe	95
PID 2456 wrote to memory of 5376	2456	firefox.exe	95
PID 2456 wrote to memory of 5376	2456	firefox.exe	95
PID 2456 wrote to memory of 5376	2456	firefox.exe	95
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 2644	5376	firefox.exe	96
PID 5376 wrote to memory of 5652	5376	firefox.exe	97
PID 5376 wrote to memory of 5652	5376	firefox.exe	97
PID 5376 wrote to memory of 5652	5376	firefox.exe	97
PID 5376 wrote to memory of 5652	5376	firefox.exe	97
PID 5376 wrote to memory of 5652	5376	firefox.exe	97
PID 5376 wrote to memory of 5652	5376	firefox.exe	97
PID 5376 wrote to memory of 5652	5376	firefox.exe	97
PID 5376 wrote to memory of 5652	5376	firefox.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\twarzbartolski.png"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:2920

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Downloads MZ/PE file
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5376
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1996 -prefsLen 27100 -prefMapHandle 2000 -prefMapSize 270279 -ipcHandle 2088 -initialChannelId {9219cf7e-61e2-4c24-bad2-5c11b9f74a98} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
    3⤵
    PID:2644
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2456 -prefsLen 27136 -prefMapHandle 2460 -prefMapSize 270279 -ipcHandle 2476 -initialChannelId {52b1e9e2-0720-4c92-82d4-feba2fe72f91} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
    3⤵
    PID:5652
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3832 -prefsLen 27277 -prefMapHandle 3836 -prefMapSize 270279 -jsInitHandle 3840 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3848 -initialChannelId {4f281d7a-5d88-4ca4-bcc5-006abb7cb7ef} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
    3⤵
    - Checks processor information in registry
    PID:1916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4052 -prefsLen 27277 -prefMapHandle 4056 -prefMapSize 270279 -ipcHandle 4132 -initialChannelId {0ee48c28-4f30-47a6-8d09-7c11325619a1} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
    3⤵
    PID:3660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2852 -prefsLen 34776 -prefMapHandle 2856 -prefMapSize 270279 -jsInitHandle 2864 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2892 -initialChannelId {f93a456d-d631-403b-b9e1-fc113b828e28} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
    3⤵
    - Checks processor information in registry
    PID:4460
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5208 -prefsLen 35013 -prefMapHandle 5204 -prefMapSize 270279 -ipcHandle 5224 -initialChannelId {d273e34e-797a-49bc-9200-2af50d533c78} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
    3⤵
    - Checks processor information in registry
    PID:4888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5352 -prefsLen 32900 -prefMapHandle 5356 -prefMapSize 270279 -jsInitHandle 5360 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2952 -initialChannelId {a0a3e104-9e83-4d19-bead-ab3ba50d1a79} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
    3⤵
    - Checks processor information in registry
    PID:4528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5568 -prefsLen 32952 -prefMapHandle 5572 -prefMapSize 270279 -jsInitHandle 5576 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5584 -initialChannelId {456a8af3-b303-4f83-9e72-179f75df0d6d} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
    3⤵
    - Checks processor information in registry
    PID:3212
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5888 -prefsLen 33031 -prefMapHandle 5892 -prefMapSize 270279 -jsInitHandle 5896 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5904 -initialChannelId {d6021d26-4a2c-4649-a2ec-44d6c7145184} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
    3⤵
    - Checks processor information in registry
    PID:5124
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4956 -prefsLen 36503 -prefMapHandle 4960 -prefMapSize 270279 -jsInitHandle 4952 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6616 -initialChannelId {4b67ecee-1b49-44cc-985e-404fc4d22d20} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 10 tab
    3⤵
    - Checks processor information in registry
    PID:3116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2952 -prefsLen 36553 -prefMapHandle 1488 -prefMapSize 270279 -jsInitHandle 1496 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6156 -initialChannelId {0fd42e98-402a-4ff0-b17e-e01132eb52ba} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 11 tab
    3⤵
    - Checks processor information in registry
    PID:2608
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6224 -prefsLen 36553 -prefMapHandle 6096 -prefMapSize 270279 -jsInitHandle 6852 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6736 -initialChannelId {42141097-c021-4f43-81bc-e36602efa935} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 12 tab
    3⤵
    - Checks processor information in registry
    PID:5316
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6900 -prefsLen 36553 -prefMapHandle 6904 -prefMapSize 270279 -jsInitHandle 6908 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6876 -initialChannelId {1282ae34-863f-4bc0-a5af-8b202068886d} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 13 tab
    3⤵
    - Checks processor information in registry
    PID:3204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6080 -prefsLen 36553 -prefMapHandle 3108 -prefMapSize 270279 -jsInitHandle 5084 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7068 -initialChannelId {f0794e9a-2fff-4632-bc05-b222a614589e} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 14 tab
    3⤵
    - Checks processor information in registry
    PID:2824
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5160 -prefsLen 36553 -prefMapHandle 6160 -prefMapSize 270279 -jsInitHandle 6712 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 1628 -initialChannelId {c25a25b1-5b57-403a-b6f5-2ed3d388a191} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 15 tab
    3⤵
    - Checks processor information in registry
    PID:532
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6464 -prefsLen 36553 -prefMapHandle 2832 -prefMapSize 270279 -jsInitHandle 3280 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6216 -initialChannelId {627d5fe2-2e56-44d7-a110-b71bf064d863} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 16 tab
    3⤵
    - Checks processor information in registry
    PID:4056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6092 -prefsLen 36593 -prefMapHandle 7048 -prefMapSize 270279 -jsInitHandle 6652 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7372 -initialChannelId {fd5bf23d-a905-4f0e-988b-aa650734cf1c} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 17 tab
    3⤵
    - Checks processor information in registry
    PID:5760
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5876 -prefsLen 36593 -prefMapHandle 5556 -prefMapSize 270279 -jsInitHandle 6740 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6316 -initialChannelId {c3320b60-dc2e-40af-932a-07867fb557a8} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 18 tab
    3⤵
    - Checks processor information in registry
    PID:1492
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5960 -prefsLen 36593 -prefMapHandle 5920 -prefMapSize 270279 -jsInitHandle 6188 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 1388 -initialChannelId {b48fa396-1e17-4c8f-a20f-9cf0d116eb8c} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 19 tab
    3⤵
    - Checks processor information in registry
    PID:4720
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6268 -prefsLen 36593 -prefMapHandle 6284 -prefMapSize 270279 -jsInitHandle 5428 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7160 -initialChannelId {b7924738-70d9-4760-81d6-4c4e345d6aca} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 20 tab
    3⤵
    - Checks processor information in registry
    PID:5508
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7864 -prefsLen 36593 -prefMapHandle 7848 -prefMapSize 270279 -jsInitHandle 7868 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7560 -initialChannelId {5e16765b-d610-4354-83f8-12fe88c241db} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 21 tab
    3⤵
    - Checks processor information in registry
    PID:848
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7388 -prefsLen 36593 -prefMapHandle 7036 -prefMapSize 270279 -jsInitHandle 7448 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7660 -initialChannelId {77554cdb-4414-4ab7-ab85-47a98a519b72} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 22 tab
    3⤵
    PID:5336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6172 -prefsLen 36593 -prefMapHandle 5928 -prefMapSize 270279 -jsInitHandle 4864 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7648 -initialChannelId {37d29f5e-582b-461a-a533-fa812a8a34e9} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 23 tab
    3⤵
    - Checks processor information in registry
    PID:2652
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4836 -prefsLen 36593 -prefMapHandle 6180 -prefMapSize 270279 -jsInitHandle 3284 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7692 -initialChannelId {db60ca39-380d-4d2e-aa8e-bdef4b0aace9} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 24 tab
    3⤵
    - Checks processor information in registry
    PID:3048
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7140 -prefsLen 36593 -prefMapHandle 7580 -prefMapSize 270279 -jsInitHandle 7592 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 8020 -initialChannelId {2931173c-cbf9-4d95-9f13-3139ab47fe0e} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 25 tab
    3⤵
    - Checks processor information in registry
    PID:5880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 8276 -prefsLen 36593 -prefMapHandle 8224 -prefMapSize 270279 -jsInitHandle 8220 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6704 -initialChannelId {95054c4b-29ed-4077-9984-9d77f2239fa1} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 26 tab
    3⤵
    - Checks processor information in registry
    PID:2268
- - C:\Users\Admin\Downloads\esign-app.exe
    "C:\Users\Admin\Downloads\esign-app.exe"
    3⤵
    - Executes dropped EXE
    PID:4776
  - - C:\Users\Admin\AppData\Local\Temp\is-5F1HI.tmp\esign-app.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-5F1HI.tmp\esign-app.tmp" /SL5="$901D2,1592193,247808,C:\Users\Admin\Downloads\esign-app.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:4584
    - - C:\Users\Admin\Downloads\esign-app.exe
        
        "C:\Users\Admin\Downloads\esign-app.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        
        PID:1540
      - C:\Users\Admin\AppData\Local\Temp\is-UQ213.tmp\esign-app.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-UQ213.tmp\esign-app.tmp" /SL5="$A01D2,1592193,247808,C:\Users\Admin\Downloads\esign-app.exe" /VERYSILENT
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:3136
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\\6fwpuclnt_9.drv"
        7⤵
        Loads dropped DLL
        
        PID:1480
        
        C:\Windows\system32\regsvr32.exe
        
        /s /i:SYNC "C:\Users\Admin\AppData\Roaming\\6fwpuclnt_9.drv"
        8⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:3216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\6fwpuclnt_9.drv' }) { exit 0 } else { exit 1 }"
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3268
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\Admin\AppData\Roaming\6fwpuclnt_9.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{71809B2C-483E-4444-8F8A-0DF4EBA0B6C8}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5072
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6316 -prefsLen 36593 -prefMapHandle 6020 -prefMapSize 270279 -jsInitHandle 7516 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6248 -initialChannelId {b927b2b1-c389-4ced-85e9-74ca93690dc5} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 27 tab
    3⤵
    - Checks processor information in registry
    PID:984
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6240 -prefsLen 36593 -prefMapHandle 7080 -prefMapSize 270279 -jsInitHandle 7076 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7000 -initialChannelId {198b9f40-7bc3-48a7-a134-e1377ac7ce40} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 28 tab
    3⤵
    - Checks processor information in registry
    PID:2572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 4 -prefsHandle 7992 -prefsLen 39683 -prefMapHandle 7412 -prefMapSize 270279 -ipcHandle 8080 -initialChannelId {8a8d9edd-d12c-4bb9-8403-734949825e19} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -appDir "C:\Program Files\Mozilla Firefox\browser" - 29 utility
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:3060
- - C:\Users\Admin\Downloads\needmoney.exe
    "C:\Users\Admin\Downloads\needmoney.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1448
  - - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
      C:\Users\Admin\AppData\Local\Temp\svchost015.exe
      4⤵
      Executes dropped EXE
      PID:5056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7988 -prefsLen 36593 -prefMapHandle 7028 -prefMapSize 270279 -jsInitHandle 6240 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7848 -initialChannelId {12307908-3bed-425d-805f-c2543abe128d} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 30 tab
    3⤵
    - Checks processor information in registry
    PID:2004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 9004 -prefsLen 36593 -prefMapHandle 9036 -prefMapSize 270279 -jsInitHandle 9040 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 9000 -initialChannelId {6f38cd54-c1aa-4976-88e8-2b08e857549a} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 31 tab
    3⤵
    - Checks processor information in registry
    PID:2416
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 9196 -prefsLen 36593 -prefMapHandle 9200 -prefMapSize 270279 -jsInitHandle 9204 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 9184 -initialChannelId {3210f672-ef0e-4d5d-bf95-ca0bd195e643} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 32 tab
    3⤵
    - Checks processor information in registry
    PID:5524
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7472 -prefsLen 36593 -prefMapHandle 9176 -prefMapSize 270279 -jsInitHandle 5456 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 1628 -initialChannelId {9764dba8-3e6c-4eba-a0c4-0a29372e29f6} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 33 tab
    3⤵
    - Checks processor information in registry
    PID:2280
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6528 -prefsLen 36593 -prefMapHandle 6172 -prefMapSize 270279 -jsInitHandle 8208 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 8044 -initialChannelId {1273c408-9323-45aa-a404-a5df5b38b798} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 34 tab
    3⤵
    - Checks processor information in registry
    PID:5280
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5516 -prefsLen 36593 -prefMapHandle 9336 -prefMapSize 270279 -jsInitHandle 7472 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6808 -initialChannelId {5d61435a-f6fd-4a3f-8d31-44eead8fc52a} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 35 tab
    3⤵
    - Checks processor information in registry
    PID:4880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 9148 -prefsLen 36593 -prefMapHandle 8252 -prefMapSize 270279 -jsInitHandle 7628 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 9316 -initialChannelId {2c041759-f3d9-4841-8b34-341dcf2a5b85} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 36 tab
    3⤵
    - Checks processor information in registry
    PID:2016
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 9348 -prefsLen 36593 -prefMapHandle 8208 -prefMapSize 270279 -jsInitHandle 8748 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 1624 -initialChannelId {d010124a-4d8b-4220-9deb-a1d2949fd879} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 37 tab
    3⤵
    - Checks processor information in registry
    PID:4836
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 8156 -prefsLen 36633 -prefMapHandle 8140 -prefMapSize 270279 -jsInitHandle 8260 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 8184 -initialChannelId {840241b0-8742-4b23-9faf-ad67db9cb804} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 38 tab
    3⤵
    - Checks processor information in registry
    PID:4700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7004 -prefsLen 36633 -prefMapHandle 9448 -prefMapSize 270279 -jsInitHandle 9440 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 9048 -initialChannelId {81b8bcc8-4f5f-4a8a-978f-676ce430c204} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 39 tab
    3⤵
    - Checks processor information in registry
    PID:4012
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 9320 -prefsLen 36633 -prefMapHandle 9324 -prefMapSize 270279 -jsInitHandle 9208 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7352 -initialChannelId {0b5d8e99-3b88-4976-bf2c-c0297bbc62d8} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 40 tab
    3⤵
    - Checks processor information in registry
    PID:6920
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 9344 -prefsLen 36633 -prefMapHandle 9092 -prefMapSize 270279 -jsInitHandle 8016 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5424 -initialChannelId {4c2b2524-e1a8-4b4a-b606-731fac471a06} -parentPid 5376 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5376" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 41 tab
    3⤵
    - Checks processor information in registry
    PID:3104
- - C:\Users\Admin\Downloads\Bonzify.exe
    "C:\Users\Admin\Downloads\Bonzify.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:6192
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KillAgent.bat"
      4⤵
      PID:5208
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im AgentSvr.exe
        5⤵
        Kills process with taskkill
        
        PID:6252
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /r /d y /f C:\Windows\MsAgent
        5⤵
        
        PID:4892
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\MsAgent /c /t /grant "everyone":(f)
        5⤵
        
        PID:5944
  - - C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
      INSTALLER.exe /q
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      PID:7108
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s "C:\Windows\msagent\AgentCtl.dll"
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:5072
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s "C:\Windows\msagent\AgentDPv.dll"
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:6188
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s "C:\Windows\msagent\mslwvtts.dll"
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:1928
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s "C:\Windows\msagent\AgentDP2.dll"
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:6432
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s "C:\Windows\msagent\AgentMPx.dll"
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:5444
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s "C:\Windows\msagent\AgentSR.dll"
        5⤵
        Loads dropped DLL
        
        PID:6224
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s "C:\Windows\msagent\AgentPsh.dll"
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:1184
    - - C:\Windows\msagent\AgentSvr.exe
        
        "C:\Windows\msagent\AgentSvr.exe" /regserver
        5⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:6292
    - - C:\Windows\SysWOW64\grpconv.exe
        
        grpconv.exe -o
        5⤵
        
        PID:6656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\servicing\TrustedInstaller.exe"
      4⤵
      PID:5912
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\servicing\TrustedInstaller.exe"
        5⤵
        
        PID:6904
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\servicing\TrustedInstaller.exe" /grant "everyone":(f)
        5⤵
        
        PID:6124
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\Speech\Common\sapisvr.exe"
      4⤵
      PID:7124
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\Speech\Common\sapisvr.exe"
        5⤵
        
        PID:468
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\Speech\Common\sapisvr.exe" /grant "everyone":(f)
        5⤵
        
        PID:5828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\splwow64.exe"
      4⤵
      PID:4632
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\splwow64.exe"
        5⤵
        
        PID:6636
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\splwow64.exe" /grant "everyone":(f)
        5⤵
        
        PID:4364
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\sysmon.exe"
      4⤵
      PID:3620
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\sysmon.exe"
        5⤵
        
        PID:6612
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\sysmon.exe" /grant "everyone":(f)
        5⤵
        
        PID:6172
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\agentactivationruntimestarter.exe"
      4⤵
      PID:6152
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\agentactivationruntimestarter.exe"
        5⤵
        
        PID:7000
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\agentactivationruntimestarter.exe" /grant "everyone":(f)
        5⤵
        
        PID:6212
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\appidtel.exe"
      4⤵
      PID:5324
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\appidtel.exe"
        5⤵
        
        PID:5152
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\appidtel.exe" /grant "everyone":(f)
        5⤵
        
        PID:408
  - - C:\Users\Admin\AppData\Local\Temp\INSTALLER.exe
      INSTALLER.exe /q
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      PID:5868
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll
        5⤵
        Loads dropped DLL
        
        PID:2068
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll
        5⤵
        Loads dropped DLL
        
        PID:6772
    - - C:\Windows\SysWOW64\grpconv.exe
        
        grpconv.exe -o
        5⤵
        
        PID:4224
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ARP.EXE"
      4⤵
      PID:6584
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\ARP.EXE"
        5⤵
        
        PID:7052
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\ARP.EXE" /grant "everyone":(f)
        5⤵
        
        PID:6120
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\at.exe"
      4⤵
      PID:2456
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\at.exe"
        5⤵
        
        PID:3696
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\at.exe" /grant "everyone":(f)
        5⤵
        
        PID:1820
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\AtBroker.exe"
      4⤵
      PID:6124
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\AtBroker.exe"
        5⤵
        
        PID:5524
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\AtBroker.exe" /grant "everyone":(f)
        5⤵
        
        PID:3020
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\attrib.exe"
      4⤵
      PID:3884
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\attrib.exe"
        5⤵
        
        PID:5772
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\attrib.exe" /grant "everyone":(f)
        5⤵
        
        PID:4632
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\auditpol.exe"
      4⤵
      PID:4716
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\auditpol.exe"
        5⤵
        
        PID:6924
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\auditpol.exe" /grant "everyone":(f)
        5⤵
        
        PID:6420
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\autochk.exe"
      4⤵
      PID:532
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6224
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\autochk.exe"
        5⤵
        
        PID:3064
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\autochk.exe" /grant "everyone":(f)
        5⤵
        
        PID:3992
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\autoconv.exe"
      4⤵
      PID:7008
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\autoconv.exe"
        5⤵
        
        PID:6152
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\autoconv.exe" /grant "everyone":(f)
        5⤵
        
        PID:4856
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\autofmt.exe"
      4⤵
      PID:4172
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\autofmt.exe"
        5⤵
        
        PID:408
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\autofmt.exe" /grant "everyone":(f)
        5⤵
        
        PID:6732
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\backgroundTaskHost.exe"
      4⤵
      PID:6540
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\backgroundTaskHost.exe"
        5⤵
        
        PID:3704
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\backgroundTaskHost.exe" /grant "everyone":(f)
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\BackgroundTransferHost.exe"
      4⤵
      PID:4964
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\BackgroundTransferHost.exe"
        5⤵
        
        PID:6176
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\BackgroundTransferHost.exe" /grant "everyone":(f)
        5⤵
        
        PID:7108
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\bitsadmin.exe"
      4⤵
      PID:3124
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\bitsadmin.exe"
        5⤵
        
        PID:116
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\bitsadmin.exe" /grant "everyone":(f)
        5⤵
        
        PID:1924
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\bootcfg.exe"
      4⤵
      PID:1704
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\bootcfg.exe"
        5⤵
        
        PID:1396
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\bootcfg.exe" /grant "everyone":(f)
        5⤵
        Modifies file permissions
        
        PID:6464
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\bthudtask.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6548
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\bthudtask.exe"
        5⤵
        
        PID:2064
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\bthudtask.exe" /grant "everyone":(f)
        5⤵
        
        PID:4416
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ByteCodeGenerator.exe"
      4⤵
      PID:4476
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\ByteCodeGenerator.exe"
        5⤵
        
        PID:5136
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\ByteCodeGenerator.exe" /grant "everyone":(f)
        5⤵
        
        PID:2740
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cacls.exe"
      4⤵
      PID:6904
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\cacls.exe"
        5⤵
        
        PID:1932
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\cacls.exe" /grant "everyone":(f)
        5⤵
        
        PID:3784
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\calc.exe"
      4⤵
      PID:1708
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\calc.exe"
        5⤵
        
        PID:1820
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\calc.exe" /grant "everyone":(f)
        5⤵
        
        PID:3428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\CameraSettingsUIHost.exe"
      4⤵
      PID:4188
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\CameraSettingsUIHost.exe"
        5⤵
        
        PID:4224
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\CameraSettingsUIHost.exe" /grant "everyone":(f)
        5⤵
        
        PID:5496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\CertEnrollCtrl.exe"
      4⤵
      PID:5456
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\CertEnrollCtrl.exe"
        5⤵
        
        PID:4676
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\CertEnrollCtrl.exe" /grant "everyone":(f)
        5⤵
        
        PID:5780
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\certreq.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4756
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\certreq.exe"
        5⤵
        
        PID:1628
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\certreq.exe" /grant "everyone":(f)
        5⤵
        
        PID:3884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\certutil.exe"
      4⤵
      PID:5988
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1928
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\certutil.exe"
        5⤵
        
        PID:232
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\certutil.exe" /grant "everyone":(f)
        5⤵
        
        PID:6608
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\charmap.exe"
      4⤵
      PID:4716
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\charmap.exe"
        5⤵
        
        PID:4720
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\charmap.exe" /grant "everyone":(f)
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\CheckNetIsolation.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4548
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\CheckNetIsolation.exe"
        5⤵
        
        PID:6212
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\CheckNetIsolation.exe" /grant "everyone":(f)
        5⤵
        
        PID:7008
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\chkdsk.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5580
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\chkdsk.exe"
        5⤵
        
        PID:5372
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\chkdsk.exe" /grant "everyone":(f)
        5⤵
        
        PID:6520
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\chkntfs.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6656
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\chkntfs.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:352
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\chkntfs.exe" /grant "everyone":(f)
        5⤵
        
        PID:6384
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\choice.exe"
      4⤵
      PID:1028
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\choice.exe"
        5⤵
        
        PID:6228
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\choice.exe" /grant "everyone":(f)
        5⤵
        
        PID:6484
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cipher.exe"
      4⤵
      PID:6176
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\cipher.exe"
        5⤵
        
        PID:3124
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\cipher.exe" /grant "everyone":(f)
        5⤵
        
        PID:2652
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cleanmgr.exe"
      4⤵
      PID:3496
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\cleanmgr.exe"
        5⤵
        
        PID:6592
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\cleanmgr.exe" /grant "everyone":(f)
        5⤵
        
        PID:6492
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cliconfg.exe"
      4⤵
      PID:3512
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\cliconfg.exe"
        5⤵
        
        PID:4680
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\cliconfg.exe" /grant "everyone":(f)
        5⤵
        
        PID:4444
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\clip.exe"
      4⤵
      PID:6112
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\clip.exe"
        5⤵
        
        PID:2612
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\clip.exe" /grant "everyone":(f)
        5⤵
        
        PID:5600
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\CloudNotifications.exe"
      4⤵
      PID:948
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\CloudNotifications.exe"
        5⤵
        
        PID:4744
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\CloudNotifications.exe" /grant "everyone":(f)
        5⤵
        
        PID:1932
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cmd.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4296
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2456
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:3696
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\cmd.exe" /grant "everyone":(f)
        5⤵
        
        PID:5792
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cmdkey.exe"
      4⤵
      PID:3088
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\cmdkey.exe"
        5⤵
        
        PID:4344
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\cmdkey.exe" /grant "everyone":(f)
        5⤵
        
        PID:5180
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cmdl32.exe"
      4⤵
      PID:924
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\cmdl32.exe"
        5⤵
        
        PID:6372
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\cmdl32.exe" /grant "everyone":(f)
        5⤵
        
        PID:3616
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cmmon32.exe"
      4⤵
      PID:6472
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\cmmon32.exe"
        5⤵
        
        PID:4148
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\cmmon32.exe" /grant "everyone":(f)
        5⤵
        Possible privilege escalation attempt
        
        PID:5680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cmstp.exe"
      4⤵
      PID:6924
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\cmstp.exe"
        5⤵
        
        PID:6816
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\cmstp.exe" /grant "everyone":(f)
        5⤵
        
        PID:3620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\colorcpl.exe"
      4⤵
      PID:532
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\colorcpl.exe"
        5⤵
        
        PID:3992
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\colorcpl.exe" /grant "everyone":(f)
        5⤵
        
        PID:7000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Com\comrepl.exe"
      4⤵
      PID:6916
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\Com\comrepl.exe"
        5⤵
        
        PID:5184
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\Com\comrepl.exe" /grant "everyone":(f)
        5⤵
        
        PID:4172
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Com\MigRegDB.exe"
      4⤵
      PID:2252
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6152
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\Com\MigRegDB.exe"
        5⤵
        
        PID:5516
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\Com\MigRegDB.exe" /grant "everyone":(f)
        5⤵
        
        PID:3704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\comp.exe"
      4⤵
      PID:2312
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\comp.exe"
        5⤵
        
        PID:6488
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\comp.exe" /grant "everyone":(f)
        5⤵
        
        PID:6228
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\compact.exe"
      4⤵
      PID:708
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\compact.exe"
        5⤵
        
        PID:6796
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\compact.exe" /grant "everyone":(f)
        5⤵
        
        PID:6708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ComputerDefaults.exe"
      4⤵
      PID:1384
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\ComputerDefaults.exe"
        5⤵
        
        PID:5984
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\ComputerDefaults.exe" /grant "everyone":(f)
        5⤵
        
        PID:5340
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\control.exe"
      4⤵
      PID:2280
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\control.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5636
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\control.exe" /grant "everyone":(f)
        5⤵
        
        PID:4416
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\convert.exe"
      4⤵
      PID:4840
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\convert.exe"
        5⤵
        
        PID:5168
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\convert.exe" /grant "everyone":(f)
        5⤵
        
        PID:4316
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\CredentialUIBroker.exe"
      4⤵
      PID:4336
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\CredentialUIBroker.exe"
        5⤵
        
        PID:4476
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\CredentialUIBroker.exe" /grant "everyone":(f)
        5⤵
        
        PID:5548
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\credwiz.exe"
      4⤵
      PID:6800
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\credwiz.exe"
        5⤵
        
        PID:6904
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\credwiz.exe" /grant "everyone":(f)
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6284
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cscript.exe"
      4⤵
      PID:6772
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\cscript.exe"
        5⤵
        
        PID:2156
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\cscript.exe" /grant "everyone":(f)
        5⤵
        
        PID:6632
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ctfmon.exe"
      4⤵
      PID:5252
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\ctfmon.exe"
        5⤵
        
        PID:4820
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\ctfmon.exe" /grant "everyone":(f)
        5⤵
        
        PID:5072
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cttune.exe"
      4⤵
      PID:5124
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\cttune.exe"
        5⤵
        
        PID:3884
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\cttune.exe" /grant "everyone":(f)
        5⤵
        
        PID:6188
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\cttunesvr.exe"
      4⤵
      PID:6612
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4148
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\cttunesvr.exe"
        5⤵
        
        PID:6608
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\cttunesvr.exe" /grant "everyone":(f)
        5⤵
        
        PID:5988
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\curl.exe"
      4⤵
      PID:6816
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\curl.exe"
        5⤵
        
        PID:532
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\curl.exe" /grant "everyone":(f)
        5⤵
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:1348
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dccw.exe"
      4⤵
      PID:3992
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\dccw.exe"
        5⤵
        
        PID:3928
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\dccw.exe" /grant "everyone":(f)
        5⤵
        
        PID:6436
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dcomcnfg.exe"
      4⤵
      PID:6520
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\dcomcnfg.exe"
        5⤵
        
        PID:5516
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\dcomcnfg.exe" /grant "everyone":(f)
        5⤵
        
        PID:3956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ddodiag.exe"
      4⤵
      PID:2252
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\ddodiag.exe"
        5⤵
        
        PID:4784
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\ddodiag.exe" /grant "everyone":(f)
        5⤵
        
        PID:4796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\DevicePairingWizard.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:352
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\DevicePairingWizard.exe"
        5⤵
        
        PID:4492
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\DevicePairingWizard.exe" /grant "everyone":(f)
        5⤵
        Modifies file permissions
        
        PID:6484
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dfrgui.exe"
      4⤵
      PID:708
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\dfrgui.exe"
        5⤵
        
        PID:4220
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\dfrgui.exe" /grant "everyone":(f)
        5⤵
        
        PID:6596
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dialer.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5984
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\dialer.exe"
        5⤵
        
        PID:5132
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\dialer.exe" /grant "everyone":(f)
        5⤵
        
        PID:6688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\diskpart.exe"
      4⤵
      PID:3764
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\diskpart.exe"
        5⤵
        
        PID:4652
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\diskpart.exe" /grant "everyone":(f)
        5⤵
        
        PID:4444
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\diskperf.exe"
      4⤵
      PID:6548
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\diskperf.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1796
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\diskperf.exe" /grant "everyone":(f)
        5⤵
        
        PID:5600
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Dism\DismHost.exe"
      4⤵
      PID:6112
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5136
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\Dism\DismHost.exe"
        5⤵
        
        PID:3428
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\Dism\DismHost.exe" /grant "everyone":(f)
        5⤵
        
        PID:2840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Dism.exe"
      4⤵
      PID:948
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\Dism.exe"
        5⤵
        
        PID:5916
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\Dism.exe" /grant "everyone":(f)
        5⤵
        Modifies file permissions
        
        PID:5576
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dllhost.exe"
      4⤵
      PID:4188
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3696
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\dllhost.exe"
        5⤵
        
        PID:5780
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\dllhost.exe" /grant "everyone":(f)
        5⤵
        
        PID:6372
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dllhst3g.exe"
      4⤵
      PID:2028
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\dllhst3g.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5816
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\dllhst3g.exe" /grant "everyone":(f)
        5⤵
        
        PID:6352
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\doskey.exe"
      4⤵
      PID:5840
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\doskey.exe"
        5⤵
        
        PID:6432
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\doskey.exe" /grant "everyone":(f)
        5⤵
        
        PID:6924
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dpapimig.exe"
      4⤵
      PID:7036
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\dpapimig.exe"
        5⤵
        
        PID:2528
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\dpapimig.exe" /grant "everyone":(f)
        5⤵
        
        PID:2144
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\DpiScaling.exe"
      4⤵
      PID:1964
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\DpiScaling.exe"
        5⤵
        
        PID:4240
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\DpiScaling.exe" /grant "everyone":(f)
        5⤵
        
        PID:7128
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dplaysvr.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:408
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\dplaysvr.exe"
        5⤵
        
        PID:2472
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\dplaysvr.exe" /grant "everyone":(f)
        5⤵
        
        PID:4892
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dpnsvr.exe"
      4⤵
      PID:5580
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\dpnsvr.exe"
        5⤵
        
        PID:6736
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\dpnsvr.exe" /grant "everyone":(f)
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6552
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\driverquery.exe"
      4⤵
      PID:6184
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\driverquery.exe"
        5⤵
        
        PID:1028
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\driverquery.exe" /grant "everyone":(f)
        5⤵
        
        PID:5380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dtdump.exe"
      4⤵
      PID:392
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:352
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\dtdump.exe"
        5⤵
        
        PID:6892
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\dtdump.exe" /grant "everyone":(f)
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dvdplay.exe"
      4⤵
      PID:2652
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\dvdplay.exe"
        5⤵
        
        PID:3732
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\dvdplay.exe" /grant "everyone":(f)
        5⤵
        
        PID:1704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\DWWIN.EXE"
      4⤵
      PID:3160
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\DWWIN.EXE"
        5⤵
        
        PID:2216
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\DWWIN.EXE" /grant "everyone":(f)
        5⤵
        
        PID:1840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\dxdiag.exe"
      4⤵
      PID:4416
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\dxdiag.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2068
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\dxdiag.exe" /grant "everyone":(f)
        5⤵
        
        PID:2876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\EaseOfAccessDialog.exe"
      4⤵
      PID:4684
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\EaseOfAccessDialog.exe"
        5⤵
        
        PID:4476
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\EaseOfAccessDialog.exe" /grant "everyone":(f)
        5⤵
        
        PID:1852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\edpnotify.exe"
      4⤵
      PID:6912
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\edpnotify.exe"
        5⤵
        
        PID:5308
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\edpnotify.exe" /grant "everyone":(f)
        5⤵
        Possible privilege escalation attempt
        
        PID:6284
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\efsui.exe"
      4⤵
      PID:2156
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\efsui.exe"
        5⤵
        
        PID:4120
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\efsui.exe" /grant "everyone":(f)
        5⤵
        
        PID:4620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\EhStorAuthn.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4820
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\EhStorAuthn.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5252
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\EhStorAuthn.exe" /grant "everyone":(f)
        5⤵
        
        PID:5444
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\esentutl.exe"
      4⤵
      PID:2452
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\esentutl.exe"
        5⤵
        
        PID:468
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\esentutl.exe" /grant "everyone":(f)
        5⤵
        
        PID:5872
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\eudcedit.exe"
      4⤵
      PID:3744
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\eudcedit.exe"
        5⤵
        
        PID:5840
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\eudcedit.exe" /grant "everyone":(f)
        5⤵
        Modifies file permissions
        
        PID:756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\eventcreate.exe"
      4⤵
      PID:6224
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\eventcreate.exe"
        5⤵
        
        PID:6608
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\eventcreate.exe" /grant "everyone":(f)
        5⤵
        
        PID:2848
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\eventvwr.exe"
      4⤵
      PID:4240
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6212
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\eventvwr.exe"
        5⤵
        
        PID:6816
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\eventvwr.exe" /grant "everyone":(f)
        5⤵
        
        PID:7128
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\expand.exe"
      4⤵
      PID:920
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\expand.exe"
        5⤵
        
        PID:3928
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\expand.exe" /grant "everyone":(f)
        5⤵
        
        PID:4892
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\explorer.exe"
      4⤵
      PID:224
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\explorer.exe"
        5⤵
        
        PID:6160
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\explorer.exe" /grant "everyone":(f)
        5⤵
        
        PID:6736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\extrac32.exe"
      4⤵
      PID:6708
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\extrac32.exe"
        5⤵
        
        PID:5152
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\extrac32.exe" /grant "everyone":(f)
        5⤵
        
        PID:2184
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\F12\IEChooser.exe"
      4⤵
      PID:5340
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\F12\IEChooser.exe"
        5⤵
        
        PID:4492
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\F12\IEChooser.exe" /grant "everyone":(f)
        5⤵
        
        PID:7076
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\fc.exe"
      4⤵
      PID:4664
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3496
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\fc.exe"
        5⤵
        
        PID:708
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\fc.exe" /grant "everyone":(f)
        5⤵
        
        PID:3732
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\find.exe"
      4⤵
      PID:472
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\find.exe"
        5⤵
        
        PID:2064
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\find.exe" /grant "everyone":(f)
        5⤵
        
        PID:1840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\findstr.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6908
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5548
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\findstr.exe"
        5⤵
        
        PID:6548
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\findstr.exe" /grant "everyone":(f)
        5⤵
        
        PID:2876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\finger.exe"
      4⤵
      PID:3056
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\finger.exe"
        5⤵
        
        PID:2916
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\finger.exe" /grant "everyone":(f)
        5⤵
        
        PID:1852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\fixmapi.exe"
      4⤵
      PID:3088
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\fixmapi.exe"
        5⤵
        
        PID:6864
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\fixmapi.exe" /grant "everyone":(f)
        5⤵
        
        PID:5308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\fltMC.exe"
      4⤵
      PID:1512
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\fltMC.exe"
        5⤵
        
        PID:6772
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\fltMC.exe" /grant "everyone":(f)
        5⤵
        
        PID:4620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Fondue.exe"
      4⤵
      PID:1628
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\Fondue.exe"
        5⤵
        
        PID:5316
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\Fondue.exe" /grant "everyone":(f)
        5⤵
        
        PID:5444
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\fontdrvhost.exe"
      4⤵
      PID:6168
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\fontdrvhost.exe"
        5⤵
        
        PID:5816
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\fontdrvhost.exe" /grant "everyone":(f)
        5⤵
        
        PID:6420
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\fontview.exe"
      4⤵
      PID:3864
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\fontview.exe"
        5⤵
        
        PID:3964
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\fontview.exe" /grant "everyone":(f)
        5⤵
        
        PID:6156
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\forfiles.exe"
      4⤵
      PID:6900
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\forfiles.exe"
        5⤵
        
        PID:5184
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\forfiles.exe" /grant "everyone":(f)
        5⤵
        
        PID:3992
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\fsquirt.exe"
      4⤵
      PID:6392
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\fsquirt.exe"
        5⤵
        
        PID:4172
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\fsquirt.exe" /grant "everyone":(f)
        5⤵
        
        PID:6320
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\fsutil.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6228
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\fsutil.exe"
        5⤵
        
        PID:3956
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\fsutil.exe" /grant "everyone":(f)
        5⤵
        
        PID:2252
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ftp.exe"
      4⤵
      PID:6252
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\ftp.exe"
        5⤵
        
        PID:4784
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\ftp.exe" /grant "everyone":(f)
        5⤵
        
        PID:5380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\GameBarPresenceWriter.exe"
      4⤵
      PID:6176
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4856
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\GameBarPresenceWriter.exe"
        5⤵
        
        PID:1696
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\GameBarPresenceWriter.exe" /grant "everyone":(f)
        5⤵
        
        PID:6464
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\GamePanel.exe"
      4⤵
      PID:6892
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:116
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\GamePanel.exe"
        5⤵
        
        PID:4492
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\GamePanel.exe" /grant "everyone":(f)
        5⤵
        
        PID:3048
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\getmac.exe"
      4⤵
      PID:6576
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\getmac.exe"
        5⤵
        
        PID:708
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\getmac.exe" /grant "everyone":(f)
        5⤵
        
        PID:3764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\gpresult.exe"
      4⤵
      PID:1384
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\gpresult.exe"
        5⤵
        
        PID:3004
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\gpresult.exe" /grant "everyone":(f)
        5⤵
        
        PID:5200
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\gpscript.exe"
      4⤵
      PID:2280
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\gpscript.exe"
        5⤵
        
        PID:6548
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\gpscript.exe" /grant "everyone":(f)
        5⤵
        
        PID:5112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\gpupdate.exe"
      4⤵
      PID:4568
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\gpupdate.exe"
        5⤵
        
        PID:2916
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\gpupdate.exe" /grant "everyone":(f)
        5⤵
        
        PID:4572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\grpconv.exe"
      4⤵
      PID:2612
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\grpconv.exe"
        5⤵
        
        PID:2456
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\grpconv.exe" /grant "everyone":(f)
        5⤵
        
        PID:6632
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\hdwwiz.exe"
      4⤵
      PID:7124
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1820
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\hdwwiz.exe"
        5⤵
        
        PID:4188
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\hdwwiz.exe" /grant "everyone":(f)
        5⤵
        
        PID:6580
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\help.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6004
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\help.exe"
        5⤵
        
        PID:5872
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\help.exe" /grant "everyone":(f)
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5444
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\hh.exe"
      4⤵
      PID:6420
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\hh.exe"
        5⤵
        
        PID:6432
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\hh.exe" /grant "everyone":(f)
        5⤵
        
        PID:2932
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\HOSTNAME.EXE"
      4⤵
      PID:4436
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3064
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\HOSTNAME.EXE"
        5⤵
        
        PID:3964
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\HOSTNAME.EXE" /grant "everyone":(f)
        5⤵
        
        PID:6860
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\icacls.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6224
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4548
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\icacls.exe"
        5⤵
        
        PID:3992
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\icacls.exe" /grant "everyone":(f)
        5⤵
        
        PID:2312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\icsunattend.exe"
      4⤵
      PID:4240
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\icsunattend.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6320
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\icsunattend.exe" /grant "everyone":(f)
        5⤵
        
        PID:5704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ieUnatt.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6048
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\ieUnatt.exe"
        5⤵
        
        PID:3956
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\ieUnatt.exe" /grant "everyone":(f)
        5⤵
        
        PID:3124
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\iexpress.exe"
      4⤵
      PID:6732
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\iexpress.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5380
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\iexpress.exe" /grant "everyone":(f)
        5⤵
        
        PID:6832
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\IMEJP\IMJPDCT.EXE"
      4⤵
      PID:6796
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\IME\IMEJP\IMJPDCT.EXE"
        5⤵
        
        PID:1696
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\IME\IMEJP\IMJPDCT.EXE" /grant "everyone":(f)
        5⤵
        
        PID:7092
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\IMEJP\IMJPSET.EXE"
      4⤵
      PID:4220
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6384
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\IME\IMEJP\IMJPSET.EXE"
        5⤵
        
        PID:4664
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\IME\IMEJP\IMJPSET.EXE" /grant "everyone":(f)
        5⤵
        
        PID:2216
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\IMEJP\IMJPUEX.EXE"
      4⤵
      PID:3764
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6688
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\IME\IMEJP\IMJPUEX.EXE"
        5⤵
        
        PID:2064
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\IME\IMEJP\IMJPUEX.EXE" /grant "everyone":(f)
        5⤵
        Modifies file permissions
        
        PID:2068
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\IMEJP\imjpuexc.exe"
      4⤵
      PID:4652
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\IME\IMEJP\imjpuexc.exe"
        5⤵
        
        PID:4296
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\IME\IMEJP\imjpuexc.exe" /grant "everyone":(f)
        5⤵
        
        PID:6232
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\IMETC\IMTCLNWZ.EXE"
      4⤵
      PID:4336
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\IME\IMETC\IMTCLNWZ.EXE"
        5⤵
        
        PID:3428
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\IME\IMETC\IMTCLNWZ.EXE" /grant "everyone":(f)
        5⤵
        
        PID:6440
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\IMETC\IMTCPROP.exe"
      4⤵
      PID:6284
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\IME\IMETC\IMTCPROP.exe"
        5⤵
        
        PID:6100
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\IME\IMETC\IMTCPROP.exe" /grant "everyone":(f)
        5⤵
        
        PID:5308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\SHARED\IMCCPHR.exe"
      4⤵
      PID:6772
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\IME\SHARED\IMCCPHR.exe"
        5⤵
        
        PID:5792
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\IME\SHARED\IMCCPHR.exe" /grant "everyone":(f)
        5⤵
        
        PID:4224
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\SHARED\imecfmui.exe"
      4⤵
      PID:6124
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\IME\SHARED\imecfmui.exe"
        5⤵
        
        PID:1628
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\IME\SHARED\imecfmui.exe" /grant "everyone":(f)
        5⤵
        
        PID:3884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\SHARED\IMEPADSV.EXE"
      4⤵
      PID:232
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\IME\SHARED\IMEPADSV.EXE"
        5⤵
        
        PID:5816
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\IME\SHARED\IMEPADSV.EXE" /grant "everyone":(f)
        5⤵
        Modifies file permissions
        
        PID:756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\SHARED\IMESEARCH.EXE"
      4⤵
      PID:6220
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\IME\SHARED\IMESEARCH.EXE"
        5⤵
        
        PID:2028
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\IME\SHARED\IMESEARCH.EXE" /grant "everyone":(f)
        5⤵
        
        PID:6608
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\IME\SHARED\IMEWDBLD.EXE"
      4⤵
      PID:3848
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\IME\SHARED\IMEWDBLD.EXE"
        5⤵
        
        PID:6900
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\IME\SHARED\IMEWDBLD.EXE" /grant "everyone":(f)
        5⤵
        
        PID:6816
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\InfDefaultInstall.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5372
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2312
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\InfDefaultInstall.exe"
        5⤵
        
        PID:532
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\InfDefaultInstall.exe" /grant "everyone":(f)
        5⤵
        
        PID:3928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\InputSwitchToastHandler.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5512
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\InputSwitchToastHandler.exe"
        5⤵
        
        PID:2472
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\InputSwitchToastHandler.exe" /grant "everyone":(f)
        5⤵
        
        PID:6160
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\InstallShield\setup.exe"
      4⤵
      PID:484
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\InstallShield\setup.exe"
        5⤵
        
        PID:3124
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\InstallShield\setup.exe" /grant "everyone":(f)
        5⤵
        
        PID:6664
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\InstallShield\_isdel.exe"
      4⤵
      PID:7052
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\InstallShield\_isdel.exe"
        5⤵
        
        PID:4964
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\InstallShield\_isdel.exe" /grant "everyone":(f)
        5⤵
        
        PID:5984
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\instnm.exe"
      4⤵
      PID:1704
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\instnm.exe"
        5⤵
        
        PID:6892
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\instnm.exe" /grant "everyone":(f)
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3732
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ipconfig.exe"
      4⤵
      PID:4912
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2652
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\ipconfig.exe"
        5⤵
        
        PID:7108
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\ipconfig.exe" /grant "everyone":(f)
        5⤵
        
        PID:1840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\iscsicli.exe"
      4⤵
      PID:5600
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\iscsicli.exe"
        5⤵
        
        PID:1384
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\iscsicli.exe" /grant "everyone":(f)
        5⤵
        
        PID:2876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\iscsicpl.exe"
      4⤵
      PID:6800
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\iscsicpl.exe"
        5⤵
        
        PID:2280
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\iscsicpl.exe" /grant "everyone":(f)
        5⤵
        
        PID:4308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\isoburn.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5576
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\isoburn.exe"
        5⤵
        
        PID:4680
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\isoburn.exe" /grant "everyone":(f)
        5⤵
        
        PID:1948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ktmutil.exe"
      4⤵
      PID:6372
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\ktmutil.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4840
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\ktmutil.exe" /grant "everyone":(f)
        5⤵
        
        PID:5072
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\label.exe"
      4⤵
      PID:6596
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\label.exe"
        5⤵
        
        PID:6112
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\label.exe" /grant "everyone":(f)
        5⤵
        Modifies file permissions
        
        PID:4620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\LaunchTM.exe"
      4⤵
      PID:4188
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\LaunchTM.exe"
        5⤵
        
        PID:3784
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\LaunchTM.exe" /grant "everyone":(f)
        5⤵
        Modifies file permissions
        
        PID:4820
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\LaunchWinApp.exe"
      4⤵
      PID:5560
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\LaunchWinApp.exe"
        5⤵
        
        PID:5444
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\LaunchWinApp.exe" /grant "everyone":(f)
        5⤵
        
        PID:5596
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\lodctr.exe"
      4⤵
      PID:5124
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\lodctr.exe"
        5⤵
        Possible privilege escalation attempt
        
        PID:2932
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\lodctr.exe" /grant "everyone":(f)
        5⤵
        
        PID:2028
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\logagent.exe"
      4⤵
      PID:7036
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\logagent.exe"
        5⤵
        
        PID:4716
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\logagent.exe" /grant "everyone":(f)
        5⤵
        
        PID:1928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\logman.exe"
      4⤵
      PID:6392
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\logman.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6224
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\logman.exe" /grant "everyone":(f)
        5⤵
        
        PID:1964
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Magnify.exe"
      4⤵
      PID:4240
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2252
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\Magnify.exe"
        5⤵
        
        PID:1152
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\Magnify.exe" /grant "everyone":(f)
        5⤵
        
        PID:6520
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\makecab.exe"
      4⤵
      PID:6696
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\makecab.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:408
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\makecab.exe" /grant "everyone":(f)
        5⤵
        
        PID:3124
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\mavinject.exe"
      4⤵
      PID:6176
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2740
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\mavinject.exe"
        5⤵
        
        PID:6488
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\mavinject.exe" /grant "everyone":(f)
        5⤵
        
        PID:6708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\mcbuilder.exe"
      4⤵
      PID:1696
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\mcbuilder.exe"
        5⤵
        
        PID:1184
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\mcbuilder.exe" /grant "everyone":(f)
        5⤵
        
        PID:3048
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\mfpmp.exe"
      4⤵
      PID:5996
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\mfpmp.exe"
        5⤵
        
        PID:116
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\mfpmp.exe" /grant "everyone":(f)
        5⤵
        
        PID:472
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\mmc.exe"
      4⤵
      PID:6936
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4476
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\mmc.exe"
        5⤵
        Modifies file permissions
        
        PID:6452
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\mmc.exe" /grant "everyone":(f)
        5⤵
        
        PID:5428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\mmgaserver.exe"
      4⤵
      PID:6548
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1852
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\mmgaserver.exe"
        5⤵
        
        PID:6908
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\mmgaserver.exe" /grant "everyone":(f)
        5⤵
        
        PID:5168
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\mobsync.exe"
      4⤵
      PID:7056
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\mobsync.exe"
        5⤵
        
        PID:5916
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\mobsync.exe" /grant "everyone":(f)
        5⤵
        Possible privilege escalation attempt
        
        PID:4684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\mountvol.exe"
      4⤵
      PID:2612
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2456
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\mountvol.exe"
        5⤵
        
        PID:6284
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\mountvol.exe" /grant "everyone":(f)
        5⤵
        
        PID:5252
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\MRINFO.EXE"
      4⤵
      PID:3020
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\MRINFO.EXE"
        5⤵
        
        PID:6636
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\MRINFO.EXE" /grant "everyone":(f)
        5⤵
        
        PID:4620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\msdt.exe"
      4⤵
      PID:5456
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\msdt.exe"
        5⤵
        
        PID:6472
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\msdt.exe" /grant "everyone":(f)
        5⤵
        
        PID:4820
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\msfeedssync.exe"
      4⤵
      PID:1960
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\msfeedssync.exe"
        5⤵
        
        PID:6924
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\msfeedssync.exe" /grant "everyone":(f)
        5⤵
        
        PID:2848
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\mshta.exe"
      4⤵
      PID:5184
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\mshta.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5988
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\mshta.exe" /grant "everyone":(f)
        5⤵
        
        PID:3704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\msiexec.exe"
      4⤵
      PID:3620
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3992
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\msiexec.exe"
        5⤵
        
        PID:4716
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\msiexec.exe" /grant "everyone":(f)
        5⤵
        
        PID:4892
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\msinfo32.exe"
      4⤵
      PID:6228
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:7000
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\msinfo32.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6292
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\msinfo32.exe" /grant "everyone":(f)
        5⤵
        
        PID:1964
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:5580
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\mspaint.exe"
        5⤵
        
        PID:6320
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\mspaint.exe" /grant "everyone":(f)
        5⤵
        
        PID:5152
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\msra.exe"
      4⤵
      PID:5492
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\msra.exe"
        5⤵
        
        PID:6848
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\msra.exe" /grant "everyone":(f)
        5⤵
        
        PID:6464
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\mstsc.exe"
      4⤵
      PID:5208
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\mstsc.exe"
        5⤵
        
        PID:6732
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\mstsc.exe" /grant "everyone":(f)
        5⤵
        
        PID:6796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\mtstocom.exe"
      4⤵
      PID:5324
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\mtstocom.exe"
        5⤵
        
        PID:6824
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\mtstocom.exe" /grant "everyone":(f)
        5⤵
        
        PID:4316
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\MuiUnattend.exe"
      4⤵
      PID:5944
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\MuiUnattend.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4912
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\MuiUnattend.exe" /grant "everyone":(f)
        5⤵
        
        PID:2016
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ndadmin.exe"
      4⤵
      PID:3764
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\ndadmin.exe"
        5⤵
        
        PID:1384
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\ndadmin.exe" /grant "everyone":(f)
        5⤵
        
        PID:4444
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\net.exe"
      4⤵
      PID:2280
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\net.exe"
        5⤵
        
        PID:5012
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\net.exe" /grant "everyone":(f)
        5⤵
        Possible privilege escalation attempt
        
        PID:5780
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\net1.exe"
      4⤵
      PID:4680
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\net1.exe"
        5⤵
        
        PID:924
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\net1.exe" /grant "everyone":(f)
        5⤵
        
        PID:5072
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\netbtugc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6864
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\netbtugc.exe"
        5⤵
        
        PID:6372
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\netbtugc.exe" /grant "everyone":(f)
        5⤵
        
        PID:1400
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\NetCfgNotifyObjectHost.exe"
      4⤵
      PID:5316
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3696
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\NetCfgNotifyObjectHost.exe"
        5⤵
        
        PID:6112
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\NetCfgNotifyObjectHost.exe" /grant "everyone":(f)
        5⤵
        
        PID:2156
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\netiougc.exe"
      4⤵
      PID:756
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\netiougc.exe"
        5⤵
        
        PID:1628
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\netiougc.exe" /grant "everyone":(f)
        5⤵
        
        PID:5872
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Netplwiz.exe"
      4⤵
      PID:5444
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5680
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\Netplwiz.exe"
        5⤵
        
        PID:6624
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\Netplwiz.exe" /grant "everyone":(f)
        5⤵
        
        PID:2028
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\netsh.exe"
      4⤵
      PID:6436
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\netsh.exe"
        5⤵
        
        PID:5988
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\netsh.exe" /grant "everyone":(f)
        5⤵
        
        PID:3848
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\NETSTAT.EXE"
      4⤵
      PID:1928
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:532
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\NETSTAT.EXE"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7036
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\NETSTAT.EXE" /grant "everyone":(f)
        5⤵
        
        PID:7008
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\newdev.exe"
      4⤵
      PID:7060
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\newdev.exe"
        5⤵
        Modifies file permissions
        
        PID:6392
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\newdev.exe" /grant "everyone":(f)
        5⤵
        
        PID:4496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\notepad.exe"
      4⤵
      PID:1560
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6520
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\notepad.exe"
        5⤵
        
        PID:2472
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\notepad.exe" /grant "everyone":(f)
        5⤵
        
        PID:6320
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\nslookup.exe"
      4⤵
      PID:7076
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3124
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\nslookup.exe"
        5⤵
        
        PID:5380
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\nslookup.exe" /grant "everyone":(f)
        5⤵
        
        PID:6848
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ntprint.exe"
      4⤵
      PID:2740
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5636
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\ntprint.exe"
        5⤵
        
        PID:7052
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\ntprint.exe" /grant "everyone":(f)
        5⤵
        
        PID:6892
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\odbcad32.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:708
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\odbcad32.exe"
        5⤵
        
        PID:7108
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\odbcad32.exe" /grant "everyone":(f)
        5⤵
        
        PID:4316
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\odbcconf.exe"
      4⤵
      PID:2068
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\odbcconf.exe"
        5⤵
        
        PID:6232
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\odbcconf.exe" /grant "everyone":(f)
        5⤵
        
        PID:3632
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\openfiles.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3056
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\openfiles.exe"
        5⤵
        
        PID:2404
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\openfiles.exe" /grant "everyone":(f)
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4444
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\OpenWith.exe"
      4⤵
      PID:5168
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\OpenWith.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4724
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\OpenWith.exe" /grant "everyone":(f)
        5⤵
        
        PID:4684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\OposHost.exe"
      4⤵
      PID:4024
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\OposHost.exe"
        5⤵
        
        PID:6996
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\OposHost.exe" /grant "everyone":(f)
        5⤵
        
        PID:6284
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\PackagedCWALauncher.exe"
      4⤵
      PID:5828
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\PackagedCWALauncher.exe"
        5⤵
        
        PID:6372
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\PackagedCWALauncher.exe" /grant "everyone":(f)
        5⤵
        
        PID:4620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\PasswordOnWakeSettingFlyout.exe"
      4⤵
      PID:6124
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\PasswordOnWakeSettingFlyout.exe"
        5⤵
        
        PID:6004
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\PasswordOnWakeSettingFlyout.exe" /grant "everyone":(f)
        5⤵
        
        PID:2328
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\PATHPING.EXE"
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:4820
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\PATHPING.EXE"
        5⤵
        
        PID:6168
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\PATHPING.EXE" /grant "everyone":(f)
        5⤵
        
        PID:6432
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\pcaui.exe"
      4⤵
      PID:6924
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\pcaui.exe"
        5⤵
        
        PID:2028
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\pcaui.exe" /grant "everyone":(f)
        5⤵
        
        PID:6860
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\perfhost.exe"
      4⤵
      PID:4632
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\perfhost.exe"
        5⤵
        
        PID:3848
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\perfhost.exe" /grant "everyone":(f)
        5⤵
        
        PID:4720
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\perfmon.exe"
      4⤵
      PID:2528
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\perfmon.exe"
        5⤵
        
        PID:6324
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\perfmon.exe" /grant "everyone":(f)
        5⤵
        
        PID:6756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\PickerHost.exe"
      4⤵
      PID:6308
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\PickerHost.exe"
        5⤵
        
        PID:6832
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\PickerHost.exe" /grant "everyone":(f)
        5⤵
        
        PID:5984
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\PING.EXE"
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:400
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\PING.EXE"
        5⤵
        
        PID:6708
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\PING.EXE" /grant "everyone":(f)
        5⤵
        
        PID:352
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\PkgMgr.exe"
      4⤵
      PID:6152
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\PkgMgr.exe"
        5⤵
        
        PID:4856
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\PkgMgr.exe" /grant "everyone":(f)
        5⤵
        
        PID:4896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\poqexec.exe"
      4⤵
      PID:7096
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\poqexec.exe"
        5⤵
        
        PID:6892
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\poqexec.exe" /grant "everyone":(f)
        5⤵
        
        PID:6384
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\powercfg.exe"
      4⤵
      Power Settings
      PID:4664
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\powercfg.exe"
        5⤵
        Modifies file permissions
        Power Settings
        
        PID:4316
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\powercfg.exe" /grant "everyone":(f)
        5⤵
        Power Settings
        
        PID:3496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\PresentationHost.exe"
      4⤵
      PID:6576
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\PresentationHost.exe"
        5⤵
        
        PID:3632
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\PresentationHost.exe" /grant "everyone":(f)
        5⤵
        
        PID:1948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\prevhost.exe"
      4⤵
      PID:4444
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\prevhost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4308
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\prevhost.exe" /grant "everyone":(f)
        5⤵
        Possible privilege escalation attempt
        
        PID:5012
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\print.exe"
      4⤵
      PID:3088
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2280
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\print.exe"
        5⤵
        
        PID:1492
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\print.exe" /grant "everyone":(f)
        5⤵
        
        PID:5072
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\printui.exe"
      4⤵
      PID:4212
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4744
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\printui.exe"
        5⤵
        
        PID:6280
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\printui.exe" /grant "everyone":(f)
        5⤵
        
        PID:60
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\proquota.exe"
      4⤵
      PID:4620
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\proquota.exe"
        5⤵
        
        PID:5792
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\proquota.exe" /grant "everyone":(f)
        5⤵
        Possible privilege escalation attempt
        
        PID:3356
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\provlaunch.exe"
      4⤵
      PID:2328
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6112
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\provlaunch.exe"
        5⤵
        
        PID:1820
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\provlaunch.exe" /grant "everyone":(f)
        5⤵
        
        PID:6612
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\psr.exe"
      4⤵
      PID:4604
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\psr.exe"
        5⤵
        
        PID:5560
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\psr.exe" /grant "everyone":(f)
        5⤵
        
        PID:6420
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\quickassist.exe"
      4⤵
      PID:6624
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\quickassist.exe"
        5⤵
        
        PID:392
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\quickassist.exe" /grant "everyone":(f)
        5⤵
        
        PID:6212
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\rasautou.exe"
      4⤵
      PID:5184
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3620
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\rasautou.exe"
        5⤵
        
        PID:7008
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\rasautou.exe" /grant "everyone":(f)
        5⤵
        
        PID:920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\rasdial.exe"
      4⤵
      PID:6324
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6228
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\rasdial.exe"
        5⤵
        
        PID:4172
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\rasdial.exe" /grant "everyone":(f)
        5⤵
        
        PID:6308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\raserver.exe"
      4⤵
      PID:7060
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\raserver.exe"
        5⤵
        
        PID:2472
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\raserver.exe" /grant "everyone":(f)
        5⤵
        
        PID:408
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\rasphone.exe"
      4⤵
      PID:352
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\rasphone.exe"
        5⤵
        
        PID:5380
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\rasphone.exe" /grant "everyone":(f)
        5⤵
        
        PID:4856
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\RdpSa.exe"
      4⤵
      PID:3124
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\RdpSa.exe"
        5⤵
        
        PID:3572
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\RdpSa.exe" /grant "everyone":(f)
        5⤵
        
        PID:7096
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\RdpSaProxy.exe"
      4⤵
      PID:6488
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\RdpSaProxy.exe"
        5⤵
        
        PID:5288
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\RdpSaProxy.exe" /grant "everyone":(f)
        5⤵
        
        PID:1184
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\RdpSaUacHelper.exe"
      4⤵
      PID:2068
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\RdpSaUacHelper.exe"
        5⤵
        Possible privilege escalation attempt
        
        PID:116
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\RdpSaUacHelper.exe" /grant "everyone":(f)
        5⤵
        
        PID:5200
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\rdrleakdiag.exe"
      4⤵
      PID:948
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\rdrleakdiag.exe"
        5⤵
        
        PID:4296
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\rdrleakdiag.exe" /grant "everyone":(f)
        5⤵
        
        PID:4444
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ReAgentc.exe"
      4⤵
      PID:2840
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\ReAgentc.exe"
        5⤵
        
        PID:4512
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\ReAgentc.exe" /grant "everyone":(f)
        5⤵
        
        PID:1492
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\recover.exe"
      4⤵
      PID:5112
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\recover.exe"
        5⤵
        
        PID:2612
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\recover.exe" /grant "everyone":(f)
        5⤵
        
        PID:4212
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\reg.exe"
      4⤵
      PID:6996
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\reg.exe"
        5⤵
        
        PID:5624
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\reg.exe" /grant "everyone":(f)
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1512
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\regedit.exe"
      4⤵
      PID:4840
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\regedit.exe"
        5⤵
        
        PID:6612
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\regedit.exe" /grant "everyone":(f)
        5⤵
        
        PID:3696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\regedt32.exe"
      4⤵
      PID:6188
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\regedt32.exe"
        5⤵
        
        PID:5816
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\regedt32.exe" /grant "everyone":(f)
        5⤵
        Modifies file permissions
        
        PID:5560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\regini.exe"
      4⤵
      PID:2144
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6924
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\regini.exe"
        5⤵
        
        PID:5880
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\regini.exe" /grant "everyone":(f)
        5⤵
        
        PID:6436
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Register-CimProvider.exe"
      4⤵
      PID:4632
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\Register-CimProvider.exe"
        5⤵
        
        PID:1172
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\Register-CimProvider.exe" /grant "everyone":(f)
        5⤵
        
        PID:1348
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\regsvr32.exe"
      4⤵
      PID:1928
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\regsvr32.exe"
        5⤵
        
        PID:5704
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\regsvr32.exe" /grant "everyone":(f)
        5⤵
        
        PID:920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\rekeywiz.exe"
      4⤵
      PID:6392
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\rekeywiz.exe"
        5⤵
        
        PID:5580
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\rekeywiz.exe" /grant "everyone":(f)
        5⤵
        
        PID:6308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\relog.exe"
      4⤵
      PID:1560
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4796
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\relog.exe"
        5⤵
        
        PID:1028
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\relog.exe" /grant "everyone":(f)
        5⤵
        
        PID:2472
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\replace.exe"
      4⤵
      PID:3732
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\replace.exe"
        5⤵
        
        PID:5492
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\replace.exe" /grant "everyone":(f)
        5⤵
        
        PID:5380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\resmon.exe"
      4⤵
      PID:6176
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6892
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\resmon.exe"
        5⤵
        
        PID:2740
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\resmon.exe" /grant "everyone":(f)
        5⤵
        
        PID:3572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\RMActivate.exe"
      4⤵
      PID:4492
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5996
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\RMActivate.exe"
        5⤵
        
        PID:708
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\RMActivate.exe" /grant "everyone":(f)
        5⤵
        
        PID:5288
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\RMActivate_isv.exe"
      4⤵
      PID:2652
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\RMActivate_isv.exe"
        5⤵
        
        PID:4652
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\RMActivate_isv.exe" /grant "everyone":(f)
        5⤵
        
        PID:3632
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\RMActivate_ssp.exe"
      4⤵
      PID:2404
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\RMActivate_ssp.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4572
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\RMActivate_ssp.exe" /grant "everyone":(f)
        5⤵
        
        PID:6908
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\RMActivate_ssp_isv.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6440
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\RMActivate_ssp_isv.exe"
        5⤵
        
        PID:4336
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\RMActivate_ssp_isv.exe" /grant "everyone":(f)
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4568
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\RmClient.exe"
      4⤵
      PID:4416
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\RmClient.exe"
        5⤵
        
        PID:5112
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\RmClient.exe" /grant "everyone":(f)
        5⤵
        
        PID:5072
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Robocopy.exe"
      4⤵
      PID:1660
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\Robocopy.exe"
        5⤵
        
        PID:5792
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\Robocopy.exe" /grant "everyone":(f)
        5⤵
        
        PID:3356
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ROUTE.EXE"
      4⤵
      PID:6124
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\ROUTE.EXE"
        5⤵
        
        PID:6156
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\ROUTE.EXE" /grant "everyone":(f)
        5⤵
        
        PID:5596
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\RpcPing.exe"
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:6472
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\RpcPing.exe"
        5⤵
        
        PID:4436
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\RpcPing.exe" /grant "everyone":(f)
        5⤵
        
        PID:5560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\rrinstaller.exe"
      4⤵
      PID:4716
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\rrinstaller.exe"
        5⤵
        
        PID:6592
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\rrinstaller.exe" /grant "everyone":(f)
        5⤵
        
        PID:6436
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\runas.exe"
      4⤵
      Access Token Manipulation: Create Process with Token
      PID:4720
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\runas.exe"
        5⤵
        
        PID:6624
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\runas.exe" /grant "everyone":(f)
        5⤵
        
        PID:6292
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\rundll32.exe"
      4⤵
      PID:7008
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\rundll32.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5372
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\rundll32.exe" /grant "everyone":(f)
        5⤵
        
        PID:6664
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\RunLegacyCPLElevated.exe"
      4⤵
      PID:5516
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4172
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\RunLegacyCPLElevated.exe"
        5⤵
        
        PID:5464
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\RunLegacyCPLElevated.exe" /grant "everyone":(f)
        5⤵
        
        PID:6308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\runonce.exe"
      4⤵
      PID:1028
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\runonce.exe"
        5⤵
        
        PID:3956
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\runonce.exe" /grant "everyone":(f)
        5⤵
        
        PID:4896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\sc.exe"
      4⤵
      PID:6824
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\sc.exe"
        5⤵
        
        PID:6708
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\sc.exe" /grant "everyone":(f)
        5⤵
        
        PID:6384
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\schtasks.exe"
      4⤵
      PID:7108
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5340
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\schtasks.exe"
        5⤵
        
        PID:3776
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\schtasks.exe" /grant "everyone":(f)
        5⤵
        
        PID:6452
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\sdbinst.exe"
      4⤵
      PID:2916
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\sdbinst.exe"
        5⤵
        
        PID:900
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\sdbinst.exe" /grant "everyone":(f)
        5⤵
        
        PID:5944
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\sdchange.exe"
      4⤵
      PID:6232
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3764
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\sdchange.exe"
        5⤵
        
        PID:6500
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\sdchange.exe" /grant "everyone":(f)
        5⤵
        
        PID:1384
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\sdiagnhost.exe"
      4⤵
      PID:4444
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5168
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\sdiagnhost.exe"
        5⤵
        
        PID:4572
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\sdiagnhost.exe" /grant "everyone":(f)
        5⤵
        
        PID:4724
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\SearchFilterHost.exe"
      4⤵
      PID:4512
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\SearchFilterHost.exe"
        5⤵
        
        PID:5576
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\SearchFilterHost.exe" /grant "everyone":(f)
        5⤵
        
        PID:4568
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\SearchIndexer.exe"
      4⤵
      PID:5828
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\SearchIndexer.exe"
        5⤵
        Modifies file permissions
        
        PID:6284
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\SearchIndexer.exe" /grant "everyone":(f)
        5⤵
        
        PID:5112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\SearchProtocolHost.exe"
      4⤵
      PID:1512
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6004
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\SearchProtocolHost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1660
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\SearchProtocolHost.exe" /grant "everyone":(f)
        5⤵
        
        PID:3020
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\SecEdit.exe"
      4⤵
      PID:3696
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\SecEdit.exe"
        5⤵
        
        PID:2820
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\SecEdit.exe" /grant "everyone":(f)
        5⤵
        
        PID:6156
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\secinit.exe"
      4⤵
      PID:2848
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1960
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\secinit.exe"
        5⤵
        
        PID:4436
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\secinit.exe" /grant "everyone":(f)
        5⤵
        
        PID:2932
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\sethc.exe"
      4⤵
      PID:6916
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\sethc.exe"
        5⤵
        
        PID:2528
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\sethc.exe" /grant "everyone":(f)
        5⤵
        
        PID:6436
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\SettingSyncHost.exe"
      4⤵
      PID:1348
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\SettingSyncHost.exe"
        5⤵
        
        PID:6160
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\SettingSyncHost.exe" /grant "everyone":(f)
        5⤵
        
        PID:6292
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\setup16.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:920
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5984
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\setup16.exe"
        5⤵
        
        PID:6520
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\setup16.exe" /grant "everyone":(f)
        5⤵
        
        PID:6664
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\setupugc.exe"
      4⤵
      PID:2216
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:7076
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\setupugc.exe"
        5⤵
        
        PID:6552
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\setupugc.exe" /grant "everyone":(f)
        5⤵
        Possible privilege escalation attempt
        
        PID:6308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\setx.exe"
      4⤵
      PID:7052
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\setx.exe"
        5⤵
        
        PID:4856
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\setx.exe" /grant "everyone":(f)
        5⤵
        
        PID:4896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\sfc.exe"
      4⤵
      PID:4508
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2876
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\sfc.exe"
        5⤵
        
        PID:6708
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\sfc.exe" /grant "everyone":(f)
        5⤵
        Possible privilege escalation attempt
        
        PID:4664
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\shrpubw.exe"
      4⤵
      PID:5324
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\shrpubw.exe"
        5⤵
        
        PID:1184
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\shrpubw.exe" /grant "everyone":(f)
        5⤵
        
        PID:6904
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\shutdown.exe"
      4⤵
      PID:6912
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\shutdown.exe"
        5⤵
        
        PID:6492
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\shutdown.exe" /grant "everyone":(f)
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6936
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\SndVol.exe"
      4⤵
      PID:6800
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2652
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\SndVol.exe"
        5⤵
        
        PID:948
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\SndVol.exe" /grant "everyone":(f)
        5⤵
        Modifies file permissions
        
        PID:1396
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\sort.exe"
      4⤵
      PID:6548
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\sort.exe"
        5⤵
        
        PID:1492
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\sort.exe" /grant "everyone":(f)
        5⤵
        
        PID:6632
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
      4⤵
      PID:5308
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\SpatialAudioLicenseSrv.exe"
        5⤵
        
        PID:2280
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\SpatialAudioLicenseSrv.exe" /grant "everyone":(f)
        5⤵
        
        PID:4620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Speech_OneCore\Common\SpeechModelDownload.exe"
      4⤵
      PID:3616
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:7124
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\Speech_OneCore\Common\SpeechModelDownload.exe"
        5⤵
        
        PID:2156
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\Speech_OneCore\Common\SpeechModelDownload.exe" /grant "everyone":(f)
        5⤵
        
        PID:5792
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\srdelayed.exe"
      4⤵
      PID:7132
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\srdelayed.exe"
        5⤵
        
        PID:3020
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\srdelayed.exe" /grant "everyone":(f)
        5⤵
        
        PID:4840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\stordiag.exe"
      4⤵
      PID:5872
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\stordiag.exe"
        5⤵
        
        PID:4820
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\stordiag.exe" /grant "everyone":(f)
        5⤵
        
        PID:3744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\subst.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3964
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\subst.exe"
        5⤵
        
        PID:6432
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\subst.exe" /grant "everyone":(f)
        5⤵
        Modifies file permissions
        
        PID:6592
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\svchost.exe"
      4⤵
      PID:532
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\svchost.exe"
        5⤵
        
        PID:4632
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\svchost.exe" /grant "everyone":(f)
        5⤵
        
        PID:6436
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\sxstrace.exe"
      4⤵
      PID:1348
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\sxstrace.exe"
        5⤵
        
        PID:2184
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\sxstrace.exe" /grant "everyone":(f)
        5⤵
        
        PID:6756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\SyncHost.exe"
      4⤵
      PID:7060
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\SyncHost.exe"
        5⤵
        
        PID:484
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\SyncHost.exe" /grant "everyone":(f)
        5⤵
        
        PID:6152
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\systeminfo.exe"
      4⤵
      PID:4856
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\systeminfo.exe"
        5⤵
        
        PID:6732
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\systeminfo.exe" /grant "everyone":(f)
        5⤵
        
        PID:6824
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\SystemPropertiesAdvanced.exe"
      4⤵
      PID:1796
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\SystemPropertiesAdvanced.exe"
        5⤵
        
        PID:3632
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\SystemPropertiesAdvanced.exe" /grant "everyone":(f)
        5⤵
        
        PID:3428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\SystemPropertiesComputerName.exe"
      4⤵
      PID:708
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\SystemPropertiesComputerName.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4652
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\SystemPropertiesComputerName.exe" /grant "everyone":(f)
        5⤵
        
        PID:2716
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
      4⤵
      PID:4308
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe"
        5⤵
        
        PID:6440
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe" /grant "everyone":(f)
        5⤵
        
        PID:6284
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\SystemPropertiesHardware.exe"
      4⤵
      PID:5828
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\SystemPropertiesHardware.exe"
        5⤵
        
        PID:1628
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\SystemPropertiesHardware.exe" /grant "everyone":(f)
        5⤵
        
        PID:6352
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\SystemPropertiesPerformance.exe"
      4⤵
      PID:7132
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\SystemPropertiesPerformance.exe"
        5⤵
        
        PID:5136
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\SystemPropertiesPerformance.exe" /grant "everyone":(f)
        5⤵
        
        PID:3696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\SystemPropertiesProtection.exe"
      4⤵
      PID:468
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\SystemPropertiesProtection.exe"
        5⤵
        
        PID:7036
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\SystemPropertiesProtection.exe" /grant "everyone":(f)
        5⤵
        
        PID:6924
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\SystemPropertiesRemote.exe"
      4⤵
      PID:2848
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6484
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\SystemPropertiesRemote.exe"
        5⤵
        
        PID:3036
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\SystemPropertiesRemote.exe" /grant "everyone":(f)
        5⤵
        
        PID:3840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\SystemUWPLauncher.exe"
      4⤵
      PID:4136
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\SystemUWPLauncher.exe"
        5⤵
        
        PID:3068
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\SystemUWPLauncher.exe" /grant "everyone":(f)
        5⤵
        
        PID:6376
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\systray.exe"
      4⤵
      PID:3488
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\systray.exe"
        5⤵
        
        PID:236
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\systray.exe" /grant "everyone":(f)
        5⤵
        
        PID:6316
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\takeown.exe"
      4⤵
      PID:6160
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\takeown.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2216
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\takeown.exe" /grant "everyone":(f)
        5⤵
        
        PID:5404
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\TapiUnattend.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2184
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\TapiUnattend.exe"
        5⤵
        
        PID:6832
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\TapiUnattend.exe" /grant "everyone":(f)
        5⤵
        
        PID:6856
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\tar.exe"
      4⤵
      PID:6944
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\tar.exe"
        5⤵
        Possible privilege escalation attempt
        
        PID:6488
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\tar.exe" /grant "everyone":(f)
        5⤵
        
        PID:6908
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\taskkill.exe"
      4⤵
      PID:1948
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\taskkill.exe"
        5⤵
        
        PID:3468
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\taskkill.exe" /grant "everyone":(f)
        5⤵
        
        PID:4400
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\tasklist.exe"
      4⤵
      PID:3144
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\tasklist.exe"
        5⤵
        
        PID:332
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\tasklist.exe" /grant "everyone":(f)
        5⤵
        
        PID:6284
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\Taskmgr.exe"
      4⤵
      PID:6864
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\Taskmgr.exe"
        5⤵
        
        PID:4416
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\Taskmgr.exe" /grant "everyone":(f)
        5⤵
        
        PID:2156
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\tcmsetup.exe"
      4⤵
      PID:4820
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5872
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\tcmsetup.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5816
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\tcmsetup.exe" /grant "everyone":(f)
        5⤵
        
        PID:6592
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\TCPSVCS.EXE"
      4⤵
      PID:3964
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\TCPSVCS.EXE"
        5⤵
        
        PID:4140
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\TCPSVCS.EXE" /grant "everyone":(f)
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3584
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TakeOwn.bat "C:\Windows\System32\ThumbnailExtractionHost.exe"
      4⤵
      PID:2028
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\ThumbnailExtractionHost.exe"
        5⤵
        
        PID:3672
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\ThumbnailExtractionHost.exe" /grant "everyone":(f)
        5⤵
        
        PID:1992

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1884

C:\Windows\system32\regsvr32.EXE
"C:\Windows\system32\regsvr32.EXE" /S /i:SYNC C:\Users\Admin\AppData\Roaming\6fwpuclnt_9.drv
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\6fwpuclnt_9.drv' }) { exit 0 } else { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5776

C:\Windows\system32\regsvr32.EXE
"C:\Windows\system32\regsvr32.EXE" /S /i:SYNC C:\Users\Admin\AppData\Roaming\6fwpuclnt_9.drv
1⤵
- Loads dropped DLL
PID:1080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\6fwpuclnt_9.drv' }) { exit 0 } else { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5208

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4676

C:\Users\Admin\Downloads\crypted.exe
"C:\Users\Admin\Downloads\crypted.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Modifies system certificate store
  PID:5960

C:\Users\Admin\Downloads\needmoney.exe
"C:\Users\Admin\Downloads\needmoney.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4856
- C:\Users\Admin\AppData\Local\Temp\svchost015.exe
  C:\Users\Admin\AppData\Local\Temp\svchost015.exe
  2⤵
  - Executes dropped EXE
  PID:664

C:\Users\Admin\Downloads\esign-app.exe
"C:\Users\Admin\Downloads\esign-app.exe"
1⤵
- Executes dropped EXE
PID:1972
- C:\Users\Admin\AppData\Local\Temp\is-6802K.tmp\esign-app.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-6802K.tmp\esign-app.tmp" /SL5="$2047A,1592193,247808,C:\Users\Admin\Downloads\esign-app.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3504
- - C:\Users\Admin\Downloads\esign-app.exe
    "C:\Users\Admin\Downloads\esign-app.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    PID:1704
  - - C:\Users\Admin\AppData\Local\Temp\is-85F6R.tmp\esign-app.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-85F6R.tmp\esign-app.tmp" /SL5="$304A8,1592193,247808,C:\Users\Admin\Downloads\esign-app.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4320
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\\6fwpuclnt_9.drv"
        5⤵
        Loads dropped DLL
        
        PID:1972
      - C:\Windows\system32\regsvr32.exe
        
        /s /i:SYNC "C:\Users\Admin\AppData\Roaming\\6fwpuclnt_9.drv"
        6⤵
        Loads dropped DLL
        
        PID:480
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\6fwpuclnt_9.drv' }) { exit 0 } else { exit 1 }"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1348

C:\Users\Admin\Downloads\esign-app.exe
"C:\Users\Admin\Downloads\esign-app.exe"
1⤵
- Executes dropped EXE
PID:2292
- C:\Users\Admin\AppData\Local\Temp\is-T5T2J.tmp\esign-app.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-T5T2J.tmp\esign-app.tmp" /SL5="$504EC,1592193,247808,C:\Users\Admin\Downloads\esign-app.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2028
- - C:\Users\Admin\Downloads\esign-app.exe
    "C:\Users\Admin\Downloads\esign-app.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    PID:5152
  - - C:\Users\Admin\AppData\Local\Temp\is-Q1S4C.tmp\esign-app.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-Q1S4C.tmp\esign-app.tmp" /SL5="$604EC,1592193,247808,C:\Users\Admin\Downloads\esign-app.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3376
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\\6fwpuclnt_9.drv"
        5⤵
        Loads dropped DLL
        
        PID:2292
      - C:\Windows\system32\regsvr32.exe
        
        /s /i:SYNC "C:\Users\Admin\AppData\Roaming\\6fwpuclnt_9.drv"
        6⤵
        Loads dropped DLL
        
        PID:456
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\6fwpuclnt_9.drv' }) { exit 0 } else { exit 1 }"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5448

C:\Users\Admin\Downloads\needmoney.exe
"C:\Users\Admin\Downloads\needmoney.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6252
- C:\Users\Admin\AppData\Local\Temp\svchost015.exe
  C:\Users\Admin\AppData\Local\Temp\svchost015.exe
  2⤵
  - Executes dropped EXE
  PID:6396

C:\Users\Admin\Downloads\crypted.exe
"C:\Users\Admin\Downloads\crypted.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:6448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:6504

C:\Windows\system32\regsvr32.EXE
"C:\Windows\system32\regsvr32.EXE" /S /i:SYNC C:\Users\Admin\AppData\Roaming\6fwpuclnt_9.drv
1⤵
- Loads dropped DLL
PID:6692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\6fwpuclnt_9.drv' }) { exit 0 } else { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:6708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
PID:7084

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:6500

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:6548

C:\Windows\system32\regsvr32.EXE
"C:\Windows\system32\regsvr32.EXE" /S /i:SYNC C:\Users\Admin\AppData\Roaming\6fwpuclnt_9.drv
1⤵
- Loads dropped DLL
PID:456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\6fwpuclnt_9.drv' }) { exit 0 } else { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2292

C:\Windows\system32\regsvr32.EXE
"C:\Windows\system32\regsvr32.EXE" /S /i:SYNC C:\Users\Admin\AppData\Roaming\6fwpuclnt_9.drv
1⤵
- Loads dropped DLL
PID:3344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\6fwpuclnt_9.drv' }) { exit 0 } else { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1240

C:\Windows\system32\regsvr32.EXE
"C:\Windows\system32\regsvr32.EXE" /S /i:SYNC C:\Users\Admin\AppData\Roaming\6fwpuclnt_9.drv
1⤵
- Loads dropped DLL
PID:6576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\6fwpuclnt_9.drv' }) { exit 0 } else { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:6552

C:\Windows\msagent\AgentSvr.exe
C:\Windows\msagent\AgentSvr.exe -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5912

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x310 0x4f8
1⤵
PID:1708

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:5152

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4052

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:7052

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 5152 -ip 5152
1⤵
PID:5600

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4180

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Modifies registry class
PID:4792

C:\Windows\system32\regsvr32.EXE
"C:\Windows\system32\regsvr32.EXE" /S /i:SYNC C:\Users\Admin\AppData\Roaming\6fwpuclnt_9.drv
1⤵
- Loads dropped DLL
PID:6624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\6fwpuclnt_9.drv' }) { exit 0 } else { exit 1 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

AppInit DLLs

T1546.010

Power Settings

T1653

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

AppInit DLLs

T1546.010

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery