e315aa0e80c75958edb5ff7ed8fb9d82688a49a927f037e4356cdb9244cfcff1

Analysis

max time kernel
270s
max time network
212s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
02/04/2025, 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

philerbum.ps1
Size

242B
MD5

59d0f73a31a7ad0474f993d5523fb20a
SHA1

b345d42f0b8319c754c95a9f37425d9774ddfb35
SHA256

e315aa0e80c75958edb5ff7ed8fb9d82688a49a927f037e4356cdb9244cfcff1
SHA512

267166da5954e6da88a80e87a4f81f092b1561d27cf545f1ae6296501df2c5751a9ef07b5eedae9d167d0671ad0d8531dcec2a2c5c227ea907cf42c54cdf742e

Score

8^/10

defense_evasion discovery execution exploit persistence

Malware Config

Signatures

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\en-US\USBXHCI.SYS.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\refsv1.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\SerCx.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\VerifierExt.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\wdf01000.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\fr-FR\Microsoft.Bluetooth.Profiles.HidOverGatt.dll.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\IPMIDrv.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\srv2.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\HvService.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\volsnap.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\SMCCx.dll	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\hidclass.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\rdbss.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\tsusbhub.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\uiccspb.dll	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\dxgmms2.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\PktMon.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\en-US\mrxsmb.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\scmbus.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\pmem.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\fr-FR\idtsec.dll.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\hidir.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\en-US\luafv.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\hidclass.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\dumpsdport.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\en-US\tsusbflt.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\kbdclass.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\mouhid.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\MTConfig.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\ntosext.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\en-US\disk.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\en-US\PktMon.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\vmstorfl.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\CAD.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\nwifi.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\mausbip.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\mvumis.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\ramdisk.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\isapnp.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\wof.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\ndistapi.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\xboxgip.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\partmgr.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\ja-JP\UsbccidDriver.dll.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\bttflt.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\parport.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\nvmedisk.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\pacer.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\serial.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\mspqm.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\usbhub.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\en-US\tsusbhub.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\BTHUSB.SYS.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\IPMIDRV.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\uk-UA	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\de-DE	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\cht4vx64.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\pmem.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\tbs.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\nvmedisk.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\vmstorfl.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\disk.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\isapnp.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\wdf01000.sys.mui	PowerShell.exe

Manipulates Digital Signatures 1 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll	PowerShell.exe

Possible privilege escalation attempt 64 IoCs

exploit

pid	Process
2964	Process not Found
4288	Process not Found
5628	Process not Found
5212	Process not Found
5496	Process not Found
972	Process not Found
4160	Process not Found
5708	Process not Found
4448	Process not Found
4024	Process not Found
1572	Process not Found
2416	Process not Found
5260	Process not Found
4892	Process not Found
4288	Process not Found
3472	Process not Found
3984	Process not Found
428	Process not Found
5192	Process not Found
3552	Process not Found
1856	Process not Found
1416	Process not Found
5876	takeown.exe
1696	takeown.exe
2404	takeown.exe
1864	Process not Found
3856	Process not Found
6032	Process not Found
4780	Process not Found
3580	Process not Found
5988	Process not Found
2352	Process not Found
3128	Process not Found
4264	Process not Found
2928	Process not Found
4492	Process not Found
5312	Process not Found
4580	Process not Found
4816	icacls.exe
4600	icacls.exe
1280	Process not Found
2932	Process not Found
1992	Process not Found
1836	Process not Found
1660	Process not Found
4772	Process not Found
5476	takeown.exe
6096	icacls.exe
5044	Process not Found
3660	Process not Found
5772	Process not Found
1072	Process not Found
1996	Process not Found
4644	Process not Found
3720	takeown.exe
1820	Process not Found
2856	Process not Found
1988	Process not Found
2268	Process not Found
3300	Process not Found
5916	Process not Found
3904	Process not Found
1324	takeown.exe
2092	Process not Found

Boot or Logon Autostart Execution: Print Processors 1 TTPs 1 IoCs

Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

persistence

Print Processors

T1547.012

description	ioc	Process
File opened for modification	C:\Windows\System32\spool\prtprocs\x64\winprint.dll	PowerShell.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 64 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppReadiness%4Admin.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Audio%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Autopilot.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-UserPnp%4ActionCenter.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppxPackaging%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBClient%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Security.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppReadiness%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-Scheduled%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Provisioning-Diagnostics-Provider%4AutoPilot.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\OAlerts.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-HotspotAuth%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-FileHistory-Core%4WHC.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Restricted.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceSetupManager%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Admin.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-AAD%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Admin.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsBackup%4ActionCenter.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-UserPnp%4DeviceInstall.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Internet Explorer.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Diagnostic.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-PnP%4Configuration.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-UniversalTelemetryClient%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Steps-Recorder.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-BitLocker%4BitLocker Management.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Audio%4PlaybackManager.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Audit.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Connectivity.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx	PowerShell.exe

Indirect Command Execution 1 TTPs 1 IoCs

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

defense_evasion

Indirect Command Execution

T1202

pid	Process
1836	Process not Found

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
560	icacls.exe
5100	Process not Found
3884	Process not Found
1624	Process not Found
2904	Process not Found
4976	Process not Found
2456	Process not Found
1340	Process not Found
3388	Process not Found
3844	Process not Found
1212	Process not Found
5488	Process not Found
5768	Process not Found
2536	Process not Found
4496	Process not Found
2400	Process not Found
2328	Process not Found
5056	Process not Found
5828	Process not Found
1324	Process not Found
2052	Process not Found
3884	Process not Found
4656	Process not Found
4764	Process not Found
3568	Process not Found
5812	Process not Found
5772	Process not Found
2360	Process not Found
5656	Process not Found
3392	takeown.exe
5156	Process not Found
2396	Process not Found
2492	Process not Found
4908	Process not Found
4056	Process not Found
3124	Process not Found
4820	Process not Found
1324	icacls.exe
1368	Process not Found
2864	Process not Found
556	Process not Found
4496	Process not Found
1288	Process not Found
4236	Process not Found
1424	Process not Found
4852	Process not Found
4944	Process not Found
5560	Process not Found
3372	Process not Found
3432	Process not Found
4076	Process not Found
2572	Process not Found
5712	takeown.exe
552	takeown.exe
3464	takeown.exe
1420	takeown.exe
5968	Process not Found
552	Process not Found
2404	Process not Found
5296	Process not Found
5652	icacls.exe
2788	Process not Found
4756	Process not Found
4408	Process not Found

Power Settings 1 TTPs 4 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1440	Process not Found
980	Process not Found
2296	Process not Found
2644	Process not Found

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\en-US\PerceptionSimulationSixDofModels.inf_loc	PowerShell.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\acpidev.inf_amd64_62eee5ffb4fab318\acpidev.inf	PowerShell.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-DisposableClientVM-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.22000.1.cat	PowerShell.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\msports.inf_amd64_2501111c1a47968b\msports.inf	PowerShell.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_4540e16c07f9c1ad	PowerShell.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\c_fsquotamgmt.inf_loc	PowerShell.exe
File opened for modification	C:\Windows\System32\es-ES\tapiui.dll.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\uk-UA\MultiDigiMon.exe.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\dwmapi.dll	PowerShell.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VmBus-Host-Package~31bf3856ad364e35~amd64~uk-UA~10.0.22000.1.cat	PowerShell.exe
File opened for modification	C:\Windows\System32\uk-UA\SensorsApi.dll.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\en-US\sti.dll.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\InputMethod\CHS\ChsEM.dll	PowerShell.exe
File opened for modification	C:\Windows\System32\de-DE\authui.dll.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\lt-LT	PowerShell.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Wired-Network-Drivers-Package~31bf3856ad364e35~amd64~fr-FR~10.0.22000.1.cat	PowerShell.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\c_monitor.inf_loc	PowerShell.exe
File opened for modification	C:\Windows\System32\C_20127.NLS	PowerShell.exe
File opened for modification	C:\Windows\System32\downlevel\api-ms-win-core-fibers-l1-1-1.dll	PowerShell.exe
File opened for modification	C:\Windows\System32\migwiz\dlmanifests\Microsoft-Windows-IE-Feeds-Platform-DL.man	PowerShell.exe
File opened for modification	C:\Windows\System32\de-DE\vdsdyn.dll.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\fr-FR\PushToInstall.dll.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\SortWindows63.dll	PowerShell.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Storufs-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.1.cat	PowerShell.exe
File opened for modification	C:\Windows\System32\de-DE\msconfig.exe.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\net8192se64.inf_amd64_167684f9283b4eca	PowerShell.exe
File opened for modification	C:\Windows\System32\ja-jp\polstore.dll.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\ntkrla57.exe	PowerShell.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TS-merged-Package~31bf3856ad364e35~amd64~~10.0.22000.469.cat	PowerShell.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\winusb.inf_loc	PowerShell.exe
File opened for modification	C:\Windows\System32\en-US\dinput.dll.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\es-ES\ubpm.dll.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Storage\FileIntegrity.cdxml	PowerShell.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\c_fsinfrastructure.inf_loc	PowerShell.exe
File opened for modification	C:\Windows\System32\de-DE\gpupdate.exe.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\ykinx64.inf_loc	PowerShell.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\61883.inf_amd64_eb7cb6e4bc1e4d57\61883.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\it-IT\objsel.dll.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\C_G18030.DLL	PowerShell.exe
File opened for modification	C:\Windows\System32\energy.dll	PowerShell.exe
File opened for modification	C:\Windows\System32\KBDINKAN.DLL	PowerShell.exe
File opened for modification	C:\Windows\System32\KBDKNI.DLL	PowerShell.exe
File opened for modification	C:\Windows\System32\de-DE\dwmredir.dll.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\rdpbus.inf_amd64_486ea8f0fb148f5e\rdpbus.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\netevbda.inf_loc	PowerShell.exe
File opened for modification	C:\Windows\System32\ScanPlugin.dll	PowerShell.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\D3DSCache\90ccb9cba3f45768\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock	PowerShell.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\wmbclass_wmc_union.inf_loc	PowerShell.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\kscaptur.inf_loc	PowerShell.exe
File opened for modification	C:\Windows\System32\fr-FR\wsock32.dll.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\IconCodecService.dll	PowerShell.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Vpci-VirtualDevice-DDA-merged-Package~31bf3856ad364e35~amd64~fr-FR~10.0.22000.1.cat	PowerShell.exe
File opened for modification	C:\Windows\System32\icsvcext.dll	PowerShell.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Sensors-Algorithms-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat	PowerShell.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\intelpmax.inf_amd64_900fa880e0a898a1\intelpmax.inf	PowerShell.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmpsion.inf_amd64_cb2e9e56f2c51012\mdmpsion.inf	PowerShell.exe
File opened for modification	C:\Windows\System32\fr-FR\packager.dll.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\spp\tokens\skus\CloudEdition	PowerShell.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppServerClient-OptGroup-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat	PowerShell.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-InternetExplorer-Optional-Payload-Package~31bf3856ad364e35~amd64~~10.0.22000.120.cat	PowerShell.exe
File opened for modification	C:\Windows\System32\Com\comadmin.dll	PowerShell.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\qcwlan64.inf_amd64_71c84e1405061462\bdwlan_qca6390_2p0_NFA524.elf	PowerShell.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\c_sensor.inf_loc	PowerShell.exe
File opened for modification	C:\Windows\System32\es-ES\rasmm.dll.mui	PowerShell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
6080	PowerShell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
6080	PowerShell.exe
6080	PowerShell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	6080	PowerShell.exe
Token: SeTakeOwnershipPrivilege	4488	takeown.exe
Token: SeTakeOwnershipPrivilege	5520	takeown.exe
Token: SeTakeOwnershipPrivilege	4036	takeown.exe
Token: SeTakeOwnershipPrivilege	4140	takeown.exe
Token: SeTakeOwnershipPrivilege	4300	takeown.exe
Token: SeTakeOwnershipPrivilege	4788	takeown.exe
Token: SeTakeOwnershipPrivilege	4868	takeown.exe
Token: SeTakeOwnershipPrivilege	4940	takeown.exe
Token: SeTakeOwnershipPrivilege	4976	takeown.exe
Token: SeTakeOwnershipPrivilege	5040	takeown.exe
Token: SeTakeOwnershipPrivilege	8	takeown.exe
Token: SeTakeOwnershipPrivilege	428	takeown.exe
Token: SeTakeOwnershipPrivilege	3952	takeown.exe
Token: SeTakeOwnershipPrivilege	3068	takeown.exe
Token: SeTakeOwnershipPrivilege	5112	takeown.exe
Token: SeTakeOwnershipPrivilege	4396	takeown.exe
Token: SeTakeOwnershipPrivilege	2328	takeown.exe
Token: SeTakeOwnershipPrivilege	1416	takeown.exe
Token: SeTakeOwnershipPrivilege	2248	takeown.exe
Token: SeTakeOwnershipPrivilege	2148	takeown.exe
Token: SeTakeOwnershipPrivilege	2440	takeown.exe
Token: SeTakeOwnershipPrivilege	1148	takeown.exe
Token: SeTakeOwnershipPrivilege	5316	takeown.exe
Token: SeTakeOwnershipPrivilege	1836	takeown.exe
Token: SeTakeOwnershipPrivilege	2824	takeown.exe
Token: SeTakeOwnershipPrivilege	4264	takeown.exe
Token: SeTakeOwnershipPrivilege	1424	takeown.exe
Token: SeTakeOwnershipPrivilege	1008	takeown.exe
Token: SeTakeOwnershipPrivilege	4636	takeown.exe
Token: SeTakeOwnershipPrivilege	1964	takeown.exe
Token: SeTakeOwnershipPrivilege	3476	takeown.exe
Token: SeTakeOwnershipPrivilege	2864	takeown.exe
Token: SeTakeOwnershipPrivilege	5840	takeown.exe
Token: SeTakeOwnershipPrivilege	3560	takeown.exe
Token: SeTakeOwnershipPrivilege	4552	takeown.exe
Token: SeTakeOwnershipPrivilege	2476	takeown.exe
Token: SeTakeOwnershipPrivilege	4576	takeown.exe
Token: SeTakeOwnershipPrivilege	4668	takeown.exe
Token: SeTakeOwnershipPrivilege	3916	takeown.exe
Token: SeTakeOwnershipPrivilege	5124	takeown.exe
Token: SeTakeOwnershipPrivilege	5376	takeown.exe
Token: SeTakeOwnershipPrivilege	5176	takeown.exe
Token: SeTakeOwnershipPrivilege	1948	takeown.exe
Token: SeTakeOwnershipPrivilege	1564	takeown.exe
Token: SeTakeOwnershipPrivilege	2096	takeown.exe
Token: SeTakeOwnershipPrivilege	4604	takeown.exe
Token: SeTakeOwnershipPrivilege	1072	takeown.exe
Token: SeTakeOwnershipPrivilege	3064	takeown.exe
Token: SeTakeOwnershipPrivilege	5016	takeown.exe
Token: SeTakeOwnershipPrivilege	2896	takeown.exe
Token: SeTakeOwnershipPrivilege	6004	takeown.exe
Token: SeTakeOwnershipPrivilege	1468	takeown.exe
Token: SeTakeOwnershipPrivilege	2528	takeown.exe
Token: SeTakeOwnershipPrivilege	2400	takeown.exe
Token: SeTakeOwnershipPrivilege	5648	takeown.exe
Token: SeTakeOwnershipPrivilege	5604	takeown.exe
Token: SeTakeOwnershipPrivilege	5572	takeown.exe
Token: SeTakeOwnershipPrivilege	3112	takeown.exe
Token: SeTakeOwnershipPrivilege	5688	takeown.exe
Token: SeTakeOwnershipPrivilege	4664	takeown.exe
Token: SeTakeOwnershipPrivilege	2344	takeown.exe
Token: SeTakeOwnershipPrivilege	2592	takeown.exe
Token: SeTakeOwnershipPrivilege	4624	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6080 wrote to memory of 4488	6080	PowerShell.exe	79
PID 6080 wrote to memory of 4488	6080	PowerShell.exe	79
PID 6080 wrote to memory of 5448	6080	PowerShell.exe	80
PID 6080 wrote to memory of 5448	6080	PowerShell.exe	80
PID 6080 wrote to memory of 5520	6080	PowerShell.exe	81
PID 6080 wrote to memory of 5520	6080	PowerShell.exe	81
PID 6080 wrote to memory of 4380	6080	PowerShell.exe	82
PID 6080 wrote to memory of 4380	6080	PowerShell.exe	82
PID 6080 wrote to memory of 1520	6080	PowerShell.exe	83
PID 6080 wrote to memory of 1520	6080	PowerShell.exe	83
PID 6080 wrote to memory of 4032	6080	PowerShell.exe	84
PID 6080 wrote to memory of 4032	6080	PowerShell.exe	84
PID 6080 wrote to memory of 4036	6080	PowerShell.exe	85
PID 6080 wrote to memory of 4036	6080	PowerShell.exe	85
PID 6080 wrote to memory of 1600	6080	PowerShell.exe	86
PID 6080 wrote to memory of 1600	6080	PowerShell.exe	86
PID 6080 wrote to memory of 4140	6080	PowerShell.exe	87
PID 6080 wrote to memory of 4140	6080	PowerShell.exe	87
PID 6080 wrote to memory of 5804	6080	PowerShell.exe	88
PID 6080 wrote to memory of 5804	6080	PowerShell.exe	88
PID 6080 wrote to memory of 4300	6080	PowerShell.exe	89
PID 6080 wrote to memory of 4300	6080	PowerShell.exe	89
PID 6080 wrote to memory of 4816	6080	PowerShell.exe	90
PID 6080 wrote to memory of 4816	6080	PowerShell.exe	90
PID 6080 wrote to memory of 4788	6080	PowerShell.exe	91
PID 6080 wrote to memory of 4788	6080	PowerShell.exe	91
PID 6080 wrote to memory of 4780	6080	PowerShell.exe	92
PID 6080 wrote to memory of 4780	6080	PowerShell.exe	92
PID 6080 wrote to memory of 4868	6080	PowerShell.exe	93
PID 6080 wrote to memory of 4868	6080	PowerShell.exe	93
PID 6080 wrote to memory of 4912	6080	PowerShell.exe	94
PID 6080 wrote to memory of 4912	6080	PowerShell.exe	94
PID 6080 wrote to memory of 4940	6080	PowerShell.exe	95
PID 6080 wrote to memory of 4940	6080	PowerShell.exe	95
PID 6080 wrote to memory of 4856	6080	PowerShell.exe	96
PID 6080 wrote to memory of 4856	6080	PowerShell.exe	96
PID 6080 wrote to memory of 4976	6080	PowerShell.exe	97
PID 6080 wrote to memory of 4976	6080	PowerShell.exe	97
PID 6080 wrote to memory of 5028	6080	PowerShell.exe	98
PID 6080 wrote to memory of 5028	6080	PowerShell.exe	98
PID 6080 wrote to memory of 5040	6080	PowerShell.exe	99
PID 6080 wrote to memory of 5040	6080	PowerShell.exe	99
PID 6080 wrote to memory of 5232	6080	PowerShell.exe	100
PID 6080 wrote to memory of 5232	6080	PowerShell.exe	100
PID 6080 wrote to memory of 2296	6080	PowerShell.exe	101
PID 6080 wrote to memory of 2296	6080	PowerShell.exe	101
PID 6080 wrote to memory of 4560	6080	PowerShell.exe	102
PID 6080 wrote to memory of 4560	6080	PowerShell.exe	102
PID 6080 wrote to memory of 8	6080	PowerShell.exe	103
PID 6080 wrote to memory of 8	6080	PowerShell.exe	103
PID 6080 wrote to memory of 980	6080	PowerShell.exe	104
PID 6080 wrote to memory of 980	6080	PowerShell.exe	104
PID 6080 wrote to memory of 428	6080	PowerShell.exe	105
PID 6080 wrote to memory of 428	6080	PowerShell.exe	105
PID 6080 wrote to memory of 472	6080	PowerShell.exe	106
PID 6080 wrote to memory of 472	6080	PowerShell.exe	106
PID 6080 wrote to memory of 1908	6080	PowerShell.exe	107
PID 6080 wrote to memory of 1908	6080	PowerShell.exe	107
PID 6080 wrote to memory of 460	6080	PowerShell.exe	108
PID 6080 wrote to memory of 460	6080	PowerShell.exe	108
PID 6080 wrote to memory of 3952	6080	PowerShell.exe	109
PID 6080 wrote to memory of 3952	6080	PowerShell.exe	109
PID 6080 wrote to memory of 2408	6080	PowerShell.exe	110
PID 6080 wrote to memory of 2408	6080	PowerShell.exe	110

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\philerbum.ps1
1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Boot or Logon Autostart Execution: Print Processors
- Indicator Removal: Clear Windows Event Logs
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6080
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\0409 /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4488
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\0409 /grant /T /C
  2⤵
  PID:5448
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AdvancedInstallers /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5520
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AdvancedInstallers /grant /T /C
  2⤵
  PID:4380
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppLocker /A /R /D Y
  2⤵
  PID:1520
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppLocker /grant /T /C
  2⤵
  PID:4032
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\appraiser /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4036
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\appraiser /grant /T /C
  2⤵
  PID:1600
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppV /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4140
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppV /grant /T /C
  2⤵
  PID:5804
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ar-SA /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4300
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ar-SA /grant /T /C
  2⤵
  - Possible privilege escalation attempt
  PID:4816
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bg-BG /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4788
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bg-BG /grant /T /C
  2⤵
  PID:4780
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Boot /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4868
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Boot /grant /T /C
  2⤵
  PID:4912
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Bthprops /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4940
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Bthprops /grant /T /C
  2⤵
  PID:4856
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ca-ES /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4976
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ca-ES /grant /T /C
  2⤵
  PID:5028
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\CatRoot /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5040
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\CatRoot /grant /T /C
  2⤵
  PID:5232
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\catroot2 /A /R /D Y
  2⤵
  PID:2296
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\catroot2 /grant /T /C
  2⤵
  PID:4560
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\CodeIntegrity /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:8
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\CodeIntegrity /grant /T /C
  2⤵
  PID:980
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Com /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:428
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Com /grant /T /C
  2⤵
  PID:472
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\config /A /R /D Y
  2⤵
  PID:1908
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\config /grant /T /C
  2⤵
  PID:460
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Configuration /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3952
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Configuration /grant /T /C
  2⤵
  PID:2408
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\cs-CZ /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\cs-CZ /grant /T /C
  2⤵
  PID:3756
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\da-DK /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5112
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\da-DK /grant /T /C
  2⤵
  PID:6044
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\DDFs /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4396
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\DDFs /grant /T /C
  2⤵
  PID:2432
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\de /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\de /grant /T /C
  2⤵
  PID:2728
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\de-DE /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1416
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\de-DE /grant /T /C
  2⤵
  - Modifies file permissions
  PID:560
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\DiagSvcs /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2248
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\DiagSvcs /grant /T /C
  2⤵
  PID:2180
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Dism /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Dism /grant /T /C
  2⤵
  PID:5096
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\downlevel /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\downlevel /grant /T /C
  2⤵
  PID:3432
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\drivers /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1148
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\drivers /grant /T /C
  2⤵
  PID:5400
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\DriverState /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5316
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\DriverState /grant /T /C
  2⤵
  PID:5296
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\DriverStore /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1836
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\DriverStore /grant /T /C
  2⤵
  PID:1132
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\dsc /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2824
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\dsc /grant /T /C
  2⤵
  PID:3540
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\el-GR /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4264
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\el-GR /grant /T /C
  2⤵
  PID:2764
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\en /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1424
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\en /grant /T /C
  2⤵
  PID:1656
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\en-GB /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1008
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\en-GB /grant /T /C
  2⤵
  PID:4052
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\en-US /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4636
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\en-US /grant /T /C
  2⤵
  PID:6052
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\es /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\es /grant /T /C
  2⤵
  PID:3156
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\es-ES /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3476
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\es-ES /grant /T /C
  2⤵
  PID:1232
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\es-MX /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\es-MX /grant /T /C
  2⤵
  PID:4336
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\et-EE /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5840
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\et-EE /grant /T /C
  2⤵
  PID:480
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\eu-ES /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3560
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\eu-ES /grant /T /C
  2⤵
  PID:1848
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\F12 /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4552
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\F12 /grant /T /C
  2⤵
  PID:1376
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\fi-FI /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2476
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\fi-FI /grant /T /C
  2⤵
  PID:6012
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\fr /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4576
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\fr /grant /T /C
  2⤵
  PID:1176
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\fr-CA /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4668
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\fr-CA /grant /T /C
  2⤵
  PID:748
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\fr-FR /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3916
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\fr-FR /grant /T /C
  2⤵
  PID:3436
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\FxsTmp /A /R /D Y
  2⤵
  PID:1936
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\FxsTmp /grant /T /C
  2⤵
  PID:792
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\gl-ES /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5124
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\gl-ES /grant /T /C
  2⤵
  PID:3040
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\GroupPolicy /A /R /D Y
  2⤵
  PID:4672
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\GroupPolicy /grant /T /C
  2⤵
  PID:4228
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\GroupPolicyUsers /A /R /D Y
  2⤵
  - Possible privilege escalation attempt
  PID:3720
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\GroupPolicyUsers /grant /T /C
  2⤵
  PID:6096
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\he-IL /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5376
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\he-IL /grant /T /C
  2⤵
  PID:5444
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\HealthAttestationClient /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5176
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\HealthAttestationClient /grant /T /C
  2⤵
  PID:5072
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\hr-HR /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1948
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\hr-HR /grant /T /C
  2⤵
  PID:5796
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\hu-HU /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1564
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\hu-HU /grant /T /C
  2⤵
  PID:2876
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Hydrogen /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2096
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Hydrogen /grant /T /C
  2⤵
  PID:476
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ias /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4604
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ias /grant /T /C
  2⤵
  PID:2192
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\icsxml /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1072
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\icsxml /grant /T /C
  2⤵
  PID:1808
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\id-ID /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3064
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\id-ID /grant /T /C
  2⤵
  PID:828
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\IME /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5016
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\IME /grant /T /C
  2⤵
  PID:2704
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\inetsrv /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\inetsrv /grant /T /C
  2⤵
  PID:1352
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\InputMethod /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6004
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\InputMethod /grant /T /C
  2⤵
  PID:2772
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Ipmi /A /R /D Y
  2⤵
  PID:2268
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Ipmi /grant /T /C
  2⤵
  PID:3056
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\it /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1468
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\it /grant /T /C
  2⤵
  PID:1444
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\it-IT /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2528
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\it-IT /grant /T /C
  2⤵
  PID:412
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ja /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2400
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ja /grant /T /C
  2⤵
  PID:5728
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ja-jp /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5648
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ja-jp /grant /T /C
  2⤵
  PID:568
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Keywords /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5604
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Keywords /grant /T /C
  2⤵
  PID:5536
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ko-KR /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5572
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ko-KR /grant /T /C
  2⤵
  PID:2580
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Licenses /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3112
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Licenses /grant /T /C
  2⤵
  PID:2544
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\LogFiles /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5688
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\LogFiles /grant /T /C
  2⤵
  PID:4344
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\lt-LT /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4664
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\lt-LT /grant /T /C
  2⤵
  PID:5560
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\lv-LV /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\lv-LV /grant /T /C
  2⤵
  PID:1536
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\lxss /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\lxss /grant /T /C
  2⤵
  PID:4188
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\MailContactsCalendarSync /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4624
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\MailContactsCalendarSync /grant /T /C
  2⤵
  PID:4652
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Microsoft /A /R /D Y
  2⤵
  PID:1740
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Microsoft /grant /T /C
  2⤵
  PID:1780
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\migration /A /R /D Y
  2⤵
  PID:4700
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\migration /grant /T /C
  2⤵
  PID:3124
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\migwiz /A /R /D Y
  2⤵
  PID:3532
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\migwiz /grant /T /C
  2⤵
  PID:3088
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\MSDRM /A /R /D Y
  2⤵
  PID:224
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\MSDRM /grant /T /C
  2⤵
  PID:5872
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\MsDtc /A /R /D Y
  2⤵
  - Modifies file permissions
  PID:3392
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\MsDtc /grant /T /C
  2⤵
  PID:4564
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\MUI /A /R /D Y
  2⤵
  PID:5044
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\MUI /grant /T /C
  2⤵
  PID:1624
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\nb-NO /A /R /D Y
  2⤵
  PID:4696
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\nb-NO /grant /T /C
  2⤵
  PID:4812
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\NDF /A /R /D Y
  2⤵
  PID:4804
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\NDF /grant /T /C
  2⤵
  PID:4772
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\networklist /A /R /D Y
  2⤵
  PID:4836
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\networklist /grant /T /C
  2⤵
  PID:4748
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\nl-NL /A /R /D Y
  2⤵
  PID:4844
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\nl-NL /grant /T /C
  2⤵
  PID:4948
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Nui /A /R /D Y
  2⤵
  PID:4968
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Nui /grant /T /C
  2⤵
  PID:4860
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\oobe /A /R /D Y
  2⤵
  PID:5032
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\oobe /grant /T /C
  2⤵
  PID:5388
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\OpenSSH /A /R /D Y
  2⤵
  PID:2548
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\OpenSSH /grant /T /C
  2⤵
  PID:5060
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Pbr /A /R /D Y
  2⤵
  PID:5232
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Pbr /grant /T /C
  2⤵
  PID:3272
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\PerceptionSimulation /A /R /D Y
  2⤵
  PID:5912
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\PerceptionSimulation /grant /T /C
  2⤵
  PID:5332
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\pl-PL /A /R /D Y
  2⤵
  PID:1108
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\pl-PL /grant /T /C
  2⤵
  PID:4240
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\PointOfService /A /R /D Y
  2⤵
  PID:3448
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\PointOfService /grant /T /C
  2⤵
  PID:2856
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Printing_Admin_Scripts /A /R /D Y
  2⤵
  PID:1464
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Printing_Admin_Scripts /grant /T /C
  2⤵
  PID:4620
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ProximityToast /A /R /D Y
  2⤵
  PID:5200
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ProximityToast /grant /T /C
  2⤵
  PID:5960
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\pt-BR /A /R /D Y
  2⤵
  PID:1224
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\pt-BR /grant /T /C
  2⤵
  PID:3568
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\pt-PT /A /R /D Y
  2⤵
  PID:3136
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\pt-PT /grant /T /C
  2⤵
  PID:5564
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ras /A /R /D Y
  2⤵
  PID:5880
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ras /grant /T /C
  2⤵
  - Possible privilege escalation attempt
  PID:4600
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\RasToast /A /R /D Y
  2⤵
  PID:2320
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\RasToast /grant /T /C
  2⤵
  PID:2312
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Recovery /A /R /D Y
  2⤵
  PID:4560
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Recovery /grant /T /C
  2⤵
  PID:8
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\restore /A /R /D Y
  2⤵
  PID:756
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\restore /grant /T /C
  2⤵
  PID:5680
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ro-RO /A /R /D Y
  2⤵
  PID:744
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ro-RO /grant /T /C
  2⤵
  PID:5100
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ru-RU /A /R /D Y
  2⤵
  PID:4588
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ru-RU /grant /T /C
  2⤵
  PID:3952
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\SecureBootUpdates /A /R /D Y
  2⤵
  PID:1932
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\SecureBootUpdates /grant /T /C
  2⤵
  PID:4476
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\setup /A /R /D Y
  2⤵
  PID:5888
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\setup /grant /T /C
  2⤵
  PID:3592
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Sgrm /A /R /D Y
  2⤵
  PID:1860
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Sgrm /grant /T /C
  2⤵
  PID:3140
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ShellExperiences /A /R /D Y
  2⤵
  PID:3052
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ShellExperiences /grant /T /C
  2⤵
  PID:236
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\sk-SK /A /R /D Y
  2⤵
  PID:2356
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\sk-SK /grant /T /C
  2⤵
  PID:3080
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\sl-SI /A /R /D Y
  2⤵
  PID:952
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\sl-SI /grant /T /C
  2⤵
  PID:1416
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\SleepStudy /A /R /D Y
  2⤵
  PID:4492
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\SleepStudy /grant /T /C
  2⤵
  PID:5476
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\slmgr /A /R /D Y
  2⤵
  PID:2160
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\slmgr /grant /T /C
  2⤵
  PID:2176
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\SMI /A /R /D Y
  2⤵
  PID:2264
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\SMI /grant /T /C
  2⤵
  PID:2776
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Speech /A /R /D Y
  2⤵
  PID:6064
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Speech /grant /T /C
  2⤵
  PID:5724
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Speech_OneCore /A /R /D Y
  2⤵
  PID:2440
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Speech_OneCore /grant /T /C
  2⤵
  PID:1148
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\spool /A /R /D Y
  2⤵
  PID:5400
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\spool /grant /T /C
  2⤵
  PID:5316
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\spp /A /R /D Y
  2⤵
  PID:5296
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\spp /grant /T /C
  2⤵
  PID:2804
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\sppui /A /R /D Y
  2⤵
  PID:3716
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\sppui /grant /T /C
  2⤵
  PID:5272
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\sr-Latn-RS /A /R /D Y
  2⤵
  PID:2708
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\sr-Latn-RS /grant /T /C
  2⤵
  PID:5108
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\sru /A /R /D Y
  2⤵
  PID:852
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\sru /grant /T /C
  2⤵
  PID:1420
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\sv-SE /A /R /D Y
  2⤵
  PID:824
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\sv-SE /grant /T /C
  2⤵
  PID:6056
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Sysprep /A /R /D Y
  2⤵
  PID:4412
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Sysprep /grant /T /C
  2⤵
  PID:3904
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\SystemResetPlatform /A /R /D Y
  2⤵
  PID:892
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\SystemResetPlatform /grant /T /C
  2⤵
  PID:3540
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Tasks /A /R /D Y
  2⤵
  PID:4568
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Tasks /grant /T /C
  2⤵
  PID:4264
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\th-TH /A /R /D Y
  2⤵
  PID:2892
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\th-TH /grant /T /C
  2⤵
  PID:1424
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\tr-TR /A /R /D Y
  2⤵
  PID:1092
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\tr-TR /grant /T /C
  2⤵
  PID:1008
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\uk /A /R /D Y
  2⤵
  PID:5696
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\uk /grant /T /C
  2⤵
  PID:4636
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\uk-UA /A /R /D Y
  2⤵
  PID:5196
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\uk-UA /grant /T /C
  2⤵
  - Modifies file permissions
  PID:5652
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\UNP /A /R /D Y
  2⤵
  PID:1232
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\UNP /grant /T /C
  2⤵
  PID:2932
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\vi-VN /A /R /D Y
  2⤵
  PID:4480
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\vi-VN /grant /T /C
  2⤵
  PID:5820
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\wbem /A /R /D Y
  2⤵
  PID:480
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\wbem /grant /T /C
  2⤵
  PID:1572
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\WCN /A /R /D Y
  2⤵
  PID:3560
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\WCN /grant /T /C
  2⤵
  PID:5700
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\WDI /A /R /D Y
  2⤵
  PID:4552
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\WDI /grant /T /C
  2⤵
  PID:4892
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\WinBioDatabase /A /R /D Y
  2⤵
  PID:2476
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\WinBioDatabase /grant /T /C
  2⤵
  PID:6140
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\WinBioPlugIns /A /R /D Y
  2⤵
  PID:4576
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\WinBioPlugIns /grant /T /C
  2⤵
  PID:5088
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\WindowsPowerShell /A /R /D Y
  2⤵
  PID:4668
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\WindowsPowerShell /grant /T /C
  2⤵
  PID:3128
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\winevt /A /R /D Y
  2⤵
  PID:2324
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\winevt /grant /T /C
  2⤵
  PID:2288
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\WinMetadata /A /R /D Y
  2⤵
  PID:908
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\WinMetadata /grant /T /C
  2⤵
  PID:3040
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\winrm /A /R /D Y
  2⤵
  PID:4672
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\winrm /grant /T /C
  2⤵
  PID:4228
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\zh-CN /A /R /D Y
  2⤵
  PID:3720
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\zh-CN /grant /T /C
  2⤵
  PID:6096
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\zh-TW /A /R /D Y
  2⤵
  PID:5428
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\zh-TW /grant /T /C
  2⤵
  PID:5444
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\0ae3b998-9a38-4b72-a4c4-06849441518d_Servicing-Stack.dll /A /R /D Y
  2⤵
  PID:3912
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\0ae3b998-9a38-4b72-a4c4-06849441518d_Servicing-Stack.dll /grant /T /C
  2⤵
  PID:5072
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\2zrh3mdese6zs.exe /A /R /D Y
  2⤵
  PID:3452
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\2zrh3mdese6zs.exe /grant /T /C
  2⤵
  PID:5796
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\3qmmfpod5yao6.exe /A /R /D Y
  2⤵
  PID:1212
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\3qmmfpod5yao6.exe /grant /T /C
  2⤵
  PID:2876
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\69fe178f-26e7-43a9-aa7d-2b616b672dde_eventlogservice.dll /A /R /D Y
  2⤵
  PID:3572
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\69fe178f-26e7-43a9-aa7d-2b616b672dde_eventlogservice.dll /grant /T /C
  2⤵
  PID:476
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\6bea57fb-8dfb-4177-9ae8-42e8b3529933_RuntimeDeviceInstall.dll /A /R /D Y
  2⤵
  PID:4724
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\6bea57fb-8dfb-4177-9ae8-42e8b3529933_RuntimeDeviceInstall.dll /grant /T /C
  2⤵
  PID:2192
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\@AdvancedKeySettingsNotification.png /A /R /D Y
  2⤵
  PID:5456
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\@AdvancedKeySettingsNotification.png /grant /T /C
  2⤵
  PID:1808
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\@AppHelpToast.png /A /R /D Y
  2⤵
  PID:5932
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\@AppHelpToast.png /grant /T /C
  2⤵
  PID:828
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\@AudioToastIcon.png /A /R /D Y
  2⤵
  PID:4184
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\@AudioToastIcon.png /grant /T /C
  2⤵
  PID:5128
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\@BackgroundAccessToastIcon.png /A /R /D Y
  2⤵
  PID:3588
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\@BackgroundAccessToastIcon.png /grant /T /C
  2⤵
  PID:2220
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\@bitlockertoastimage.png /A /R /D Y
  2⤵
  PID:2380
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\@bitlockertoastimage.png /grant /T /C
  2⤵
  PID:4076
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\@edptoastimage.png /A /R /D Y
  2⤵
  PID:3152
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\@edptoastimage.png /grant /T /C
  2⤵
  PID:1892
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\@EnrollmentToastIcon.png /A /R /D Y
  2⤵
  PID:588
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\@EnrollmentToastIcon.png /grant /T /C
  2⤵
  PID:5720
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\@language_notification_icon.png /A /R /D Y
  2⤵
  PID:1244
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\@language_notification_icon.png /grant /T /C
  2⤵
  PID:2424
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\@optionalfeatures.png /A /R /D Y
  2⤵
  PID:3884
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\@optionalfeatures.png /grant /T /C
  2⤵
  PID:5068
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\@StorageSenseToastIcon.png /A /R /D Y
  2⤵
  PID:1204
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\@StorageSenseToastIcon.png /grant /T /C
  2⤵
  PID:5940
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\@VpnToastIcon.png /A /R /D Y
  2⤵
  PID:1864
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\@VpnToastIcon.png /grant /T /C
  2⤵
  PID:3536
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\@windows-hello-V4.1.gif /A /R /D Y
  2⤵
  PID:3736
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\@windows-hello-V4.1.gif /grant /T /C
  2⤵
  PID:200
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\@WindowsHelloFaceToastIcon.png /A /R /D Y
  2⤵
  PID:3016
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\@WindowsHelloFaceToastIcon.png /grant /T /C
  2⤵
  PID:1476
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\@WindowsUpdateToastIcon.contrast-black.png /A /R /D Y
  2⤵
  PID:5000
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\@WindowsUpdateToastIcon.contrast-black.png /grant /T /C
  2⤵
  PID:5576
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\@WindowsUpdateToastIcon.contrast-white.png /A /R /D Y
  2⤵
  PID:2808
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\@WindowsUpdateToastIcon.contrast-white.png /grant /T /C
  2⤵
  PID:2796
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\@WindowsUpdateToastIcon.png /A /R /D Y
  2⤵
  PID:1596
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\@WindowsUpdateToastIcon.png /grant /T /C
  2⤵
  PID:2904
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\@WirelessDisplayToast.png /A /R /D Y
  2⤵
  PID:4640
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\@WirelessDisplayToast.png /grant /T /C
  2⤵
  PID:3112
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\@WLOGO_48x48.png /A /R /D Y
  2⤵
  PID:960
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\@WLOGO_48x48.png /grant /T /C
  2⤵
  PID:2456
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\aadauthhelper.dll /A /R /D Y
  2⤵
  PID:5636
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\aadauthhelper.dll /grant /T /C
  2⤵
  PID:3660
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\aadcloudap.dll /A /R /D Y
  2⤵
  PID:2840
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\aadcloudap.dll /grant /T /C
  2⤵
  PID:4900
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\aadjcsp.dll /A /R /D Y
  2⤵
  PID:1680
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\aadjcsp.dll /grant /T /C
  2⤵
  PID:4644
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\aadtb.dll /A /R /D Y
  2⤵
  PID:4656
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\aadtb.dll /grant /T /C
  2⤵
  PID:4648
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\aadWamExtension.dll /A /R /D Y
  2⤵
  PID:1972
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\aadWamExtension.dll /grant /T /C
  2⤵
  PID:992
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AarSvc.dll /A /R /D Y
  2⤵
  PID:228
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AarSvc.dll /grant /T /C
  2⤵
  PID:5084
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AboutSettingsHandlers.dll /A /R /D Y
  2⤵
  PID:3956
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AboutSettingsHandlers.dll /grant /T /C
  2⤵
  PID:3460
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AboveLockAppHost.dll /A /R /D Y
  2⤵
  PID:3532
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AboveLockAppHost.dll /grant /T /C
  2⤵
  PID:2964
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\accessibilitycpl.dll /A /R /D Y
  2⤵
  PID:5784
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\accessibilitycpl.dll /grant /T /C
  2⤵
  PID:5756
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\accountaccessor.dll /A /R /D Y
  2⤵
  PID:5380
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\accountaccessor.dll /grant /T /C
  2⤵
  PID:2916
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AccountsRt.dll /A /R /D Y
  2⤵
  PID:3328
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AccountsRt.dll /grant /T /C
  2⤵
  PID:6020
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AcGenral.dll /A /R /D Y
  2⤵
  PID:4808
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AcGenral.dll /grant /T /C
  2⤵
  PID:4824
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AcLayers.dll /A /R /D Y
  2⤵
  PID:4828
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AcLayers.dll /grant /T /C
  2⤵
  PID:4832
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\acledit.dll /A /R /D Y
  2⤵
  PID:4840
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\acledit.dll /grant /T /C
  2⤵
  PID:4912
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\aclui.dll /A /R /D Y
  2⤵
  PID:4960
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\aclui.dll /grant /T /C
  2⤵
  PID:4940
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\acmigration.dll /A /R /D Y
  2⤵
  PID:5036
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\acmigration.dll /grant /T /C
  2⤵
  PID:5028
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ACPBackgroundManagerPolicy.dll /A /R /D Y
  2⤵
  PID:4996
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ACPBackgroundManagerPolicy.dll /grant /T /C
  2⤵
  PID:5048
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\acppage.dll /A /R /D Y
  2⤵
  PID:5140
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\acppage.dll /grant /T /C
  2⤵
  PID:3044
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\acproxy.dll /A /R /D Y
  2⤵
  PID:3464
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\acproxy.dll /grant /T /C
  2⤵
  PID:3036
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AcSpecfc.dll /A /R /D Y
  2⤵
  PID:3792
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AcSpecfc.dll /grant /T /C
  2⤵
  PID:776
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ActionCenter.dll_BUP /A /R /D Y
  2⤵
  PID:2084
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ActionCenter.dll_BUP /grant /T /C
  2⤵
  PID:1648
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ActionCenterCPL.dll_BUP /A /R /D Y
  2⤵
  PID:3164
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ActionCenterCPL.dll_BUP /grant /T /C
  2⤵
  PID:972
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ActionQueue.dll /A /R /D Y
  2⤵
  PID:2232
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ActionQueue.dll /grant /T /C
  2⤵
  PID:2820
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ActivationClient.dll /A /R /D Y
  2⤵
  PID:3456
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ActivationClient.dll /grant /T /C
  2⤵
  PID:4236
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ActivationManager.dll /A /R /D Y
  2⤵
  PID:1560
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ActivationManager.dll /grant /T /C
  2⤵
  PID:1988
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\activeds.dll /A /R /D Y
  2⤵
  PID:4584
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\activeds.dll /grant /T /C
  2⤵
  PID:5160
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\activeds.tlb /A /R /D Y
  2⤵
  PID:5964
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\activeds.tlb /grant /T /C
  2⤵
  PID:2816
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ActiveHours.png /A /R /D Y
  2⤵
  PID:2360
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ActiveHours.png /grant /T /C
  2⤵
  PID:2416
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ActiveSyncCsp.dll /A /R /D Y
  2⤵
  PID:2396
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ActiveSyncCsp.dll /grant /T /C
  2⤵
  PID:2420
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ActiveSyncProvider.dll /A /R /D Y
  2⤵
  PID:472
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ActiveSyncProvider.dll /grant /T /C
  2⤵
  PID:3508
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\actxprxy.dll /A /R /D Y
  2⤵
  PID:4756
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\actxprxy.dll /grant /T /C
  2⤵
  PID:1432
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AcWinRT.dll /A /R /D Y
  2⤵
  PID:608
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AcWinRT.dll /grant /T /C
  2⤵
  PID:5884
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AcXtrnal.dll /A /R /D Y
  2⤵
  - Possible privilege escalation attempt
  PID:5876
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AcXtrnal.dll /grant /T /C
  2⤵
  PID:2744
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AdaptiveCards.dll /A /R /D Y
  2⤵
  PID:4332
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AdaptiveCards.dll /grant /T /C
  2⤵
  PID:2252
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AddressParser.dll /A /R /D Y
  2⤵
  PID:1852
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AddressParser.dll /grant /T /C
  2⤵
  PID:5888
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\adhapi.dll /A /R /D Y
  2⤵
  PID:3984
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\adhapi.dll /grant /T /C
  2⤵
  PID:3052
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\adhsvc.dll /A /R /D Y
  2⤵
  PID:4356
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\adhsvc.dll /grant /T /C
  2⤵
  PID:2356
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AdmTmpl.dll /A /R /D Y
  2⤵
  PID:4024
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AdmTmpl.dll /grant /T /C
  2⤵
  PID:952
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\adprovider.dll /A /R /D Y
  2⤵
  PID:4116
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\adprovider.dll /grant /T /C
  2⤵
  PID:4492
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\adrclient.dll /A /R /D Y
  2⤵
  PID:2180
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\adrclient.dll /grant /T /C
  2⤵
  PID:2160
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\adsldp.dll /A /R /D Y
  2⤵
  PID:2444
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\adsldp.dll /grant /T /C
  2⤵
  PID:2264
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\adsldpc.dll /A /R /D Y
  2⤵
  - Modifies file permissions
  PID:5712
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\adsldpc.dll /grant /T /C
  2⤵
  PID:6064
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\adsmsext.dll /A /R /D Y
  2⤵
  PID:5076
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\adsmsext.dll /grant /T /C
  2⤵
  PID:2440
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\adsnt.dll /A /R /D Y
  2⤵
  PID:5400
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\adsnt.dll /grant /T /C
  2⤵
  PID:5316
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\adtschema.dll /A /R /D Y
  2⤵
  PID:1300
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\adtschema.dll /grant /T /C
  2⤵
  PID:6128
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AdvancedEmojiDS.dll /A /R /D Y
  2⤵
  PID:1820
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AdvancedEmojiDS.dll /grant /T /C
  2⤵
  PID:4908
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\advapi32.dll /A /R /D Y
  2⤵
  PID:2276
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\advapi32.dll /grant /T /C
  2⤵
  PID:1268
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\advapi32res.dll /A /R /D Y
  2⤵
  PID:4980
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\advapi32res.dll /grant /T /C
  2⤵
  PID:3148
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\advpack.dll /A /R /D Y
  2⤵
  PID:5228
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\advpack.dll /grant /T /C
  2⤵
  PID:676
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\aeevts.dll /A /R /D Y
  2⤵
  PID:5436
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\aeevts.dll /grant /T /C
  2⤵
  PID:2012
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\aeinv.dll /A /R /D Y
  2⤵
  PID:3820
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\aeinv.dll /grant /T /C
  2⤵
  PID:1288
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\aepic.dll /A /R /D Y
  2⤵
  PID:1488
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\aepic.dll /grant /T /C
  2⤵
  PID:1656
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\agentactivationruntime.dll /A /R /D Y
  2⤵
  PID:2052
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\agentactivationruntime.dll /grant /T /C
  2⤵
  PID:4052
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\agentactivationruntimestarter.exe /A /R /D Y
  2⤵
  PID:4496
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\agentactivationruntimestarter.exe /grant /T /C
  2⤵
  PID:6052
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\agentactivationruntimewindows.dll /A /R /D Y
  2⤵
  PID:936
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\agentactivationruntimewindows.dll /grant /T /C
  2⤵
  PID:1120
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AgentService.exe /A /R /D Y
  2⤵
  PID:3484
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AgentService.exe /grant /T /C
  2⤵
  PID:5196
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AggregatorHost.exe /A /R /D Y
  2⤵
  PID:2900
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AggregatorHost.exe /grant /T /C
  2⤵
  PID:1232
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\aitstatic.exe /A /R /D Y
  2⤵
  PID:5708
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\aitstatic.exe /grant /T /C
  2⤵
  PID:4480
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AJRouter.dll /A /R /D Y
  2⤵
  PID:4000
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AJRouter.dll /grant /T /C
  2⤵
  PID:1572
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\alg.exe /A /R /D Y
  2⤵
  - Possible privilege escalation attempt
  PID:1696
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\alg.exe /grant /T /C
  2⤵
  PID:5988
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\altspace.dll /A /R /D Y
  2⤵
  PID:6024
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\altspace.dll /grant /T /C
  2⤵
  PID:6012
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\amcompat.tlb /A /R /D Y
  2⤵
  PID:4072
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\amcompat.tlb /grant /T /C
  2⤵
  PID:1176
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\amsi.dll /A /R /D Y
  2⤵
  PID:396
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\amsi.dll /grant /T /C
  2⤵
  PID:2240
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\amsiproxy.dll /A /R /D Y
  2⤵
  PID:1824
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\amsiproxy.dll /grant /T /C
  2⤵
  PID:3428
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\amstream.dll /A /R /D Y
  2⤵
  PID:5132
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\amstream.dll /grant /T /C
  2⤵
  PID:792
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Analog.Shell.Broker.dll /A /R /D Y
  2⤵
  PID:2080
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Analog.Shell.Broker.dll /grant /T /C
  2⤵
  PID:1744
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AnalogCommonProxyStub.dll /A /R /D Y
  2⤵
  PID:1660
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AnalogCommonProxyStub.dll /grant /T /C
  2⤵
  PID:6008
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\apds.dll /A /R /D Y
  2⤵
  PID:4044
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\apds.dll /grant /T /C
  2⤵
  PID:5284
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\APHostClient.dll /A /R /D Y
  2⤵
  PID:5192
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\APHostClient.dll /grant /T /C
  2⤵
  PID:1544
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\APHostRes.dll /A /R /D Y
  2⤵
  PID:4384
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\APHostRes.dll /grant /T /C
  2⤵
  PID:3188
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\APHostService.dll /A /R /D Y
  2⤵
  PID:2392
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\APHostService.dll /grant /T /C
  2⤵
  PID:3620
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\apisampling.dll /A /R /D Y
  2⤵
  PID:2412
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\apisampling.dll /grant /T /C
  2⤵
  PID:6000
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ApiSetHost.AppExecutionAlias.dll /A /R /D Y
  2⤵
  PID:376
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ApiSetHost.AppExecutionAlias.dll /grant /T /C
  2⤵
  PID:848
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\apisetschema.dll /A /R /D Y
  2⤵
  PID:4688
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\apisetschema.dll /grant /T /C
  2⤵
  PID:5204
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\APMon.dll /A /R /D Y
  2⤵
  PID:3876
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\APMon.dll /grant /T /C
  2⤵
  PID:5928
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\APMonUI.dll /A /R /D Y
  2⤵
  PID:3192
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\APMonUI.dll /grant /T /C
  2⤵
  PID:5500
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppContracts.dll /A /R /D Y
  2⤵
  PID:4056
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppContracts.dll /grant /T /C
  2⤵
  PID:3324
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppExtension.dll /A /R /D Y
  2⤵
  PID:2896
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppExtension.dll /grant /T /C
  2⤵
  PID:6116
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\apphelp.dll /A /R /D Y
  2⤵
  PID:3576
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\apphelp.dll /grant /T /C
  2⤵
  PID:3300
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Apphlpdm.dll /A /R /D Y
  2⤵
  PID:700
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Apphlpdm.dll /grant /T /C
  2⤵
  PID:1612
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppHostRegistrationVerifier.exe /A /R /D Y
  2⤵
  PID:1784
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppHostRegistrationVerifier.exe /grant /T /C
  2⤵
  PID:5488
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\appidapi.dll /A /R /D Y
  2⤵
  PID:1248
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\appidapi.dll /grant /T /C
  2⤵
  PID:3076
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\appidcertstorecheck.exe /A /R /D Y
  2⤵
  PID:384
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\appidcertstorecheck.exe /grant /T /C
  2⤵
  PID:4392
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\appidpolicyconverter.exe /A /R /D Y
  2⤵
  PID:3296
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\appidpolicyconverter.exe /grant /T /C
  2⤵
  PID:3500
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppIdPolicyEngineApi.dll /A /R /D Y
  2⤵
  PID:2400
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppIdPolicyEngineApi.dll /grant /T /C
  2⤵
  PID:1076
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\appidsvc.dll /A /R /D Y
  2⤵
  PID:5648
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\appidsvc.dll /grant /T /C
  2⤵
  PID:2684
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\appidtel.exe /A /R /D Y
  2⤵
  PID:2008
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\appidtel.exe /grant /T /C
  2⤵
  PID:456
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\appinfo.dll /A /R /D Y
  2⤵
  PID:2656
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\appinfo.dll /grant /T /C
  2⤵
  PID:5580
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\appinfoext.dll /A /R /D Y
  2⤵
  PID:3868
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\appinfoext.dll /grant /T /C
  2⤵
  PID:2584
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppInstallerPrompt.Desktop.dll /A /R /D Y
  2⤵
  PID:4888
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppInstallerPrompt.Desktop.dll /grant /T /C
  2⤵
  PID:328
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ApplicationControlCSP.dll /A /R /D Y
  2⤵
  PID:4408
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ApplicationControlCSP.dll /grant /T /C
  2⤵
  PID:1344
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ApplicationFrame.dll /A /R /D Y
  2⤵
  PID:4344
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ApplicationFrame.dll /grant /T /C
  2⤵
  PID:3836
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ApplicationFrameHost.exe /A /R /D Y
  2⤵
  PID:4428
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ApplicationFrameHost.exe /grant /T /C
  2⤵
  PID:4664
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppListBackupLauncher.dll /A /R /D Y
  2⤵
  PID:5092
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppListBackupLauncher.dll /grant /T /C
  2⤵
  PID:4500
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppLockerCSP.dll /A /R /D Y
  2⤵
  PID:3828
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppLockerCSP.dll /grant /T /C
  2⤵
  PID:4188
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ApplySettingsTemplateCatalog.exe /A /R /D Y
  2⤵
  PID:5752
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ApplySettingsTemplateCatalog.exe /grant /T /C
  2⤵
  PID:4624
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ApplyTrustOffline.exe /A /R /D Y
  2⤵
  PID:3512
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ApplyTrustOffline.exe /grant /T /C
  2⤵
  PID:1780
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppManagementConfiguration.dll /A /R /D Y
  2⤵
  PID:3292
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppManagementConfiguration.dll /grant /T /C
  2⤵
  PID:4700
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\appmgmts.dll /A /R /D Y
  2⤵
  PID:3728
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\appmgmts.dll /grant /T /C
  2⤵
  PID:3460
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\appmgr.dll /A /R /D Y
  2⤵
  PID:3956
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\appmgr.dll /grant /T /C
  2⤵
  PID:5856
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppMon.dll /A /R /D Y
  2⤵
  PID:5872
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppMon.dll /grant /T /C
  2⤵
  PID:4608
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppointmentActivation.dll /A /R /D Y
  2⤵
  PID:3392
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppointmentActivation.dll /grant /T /C
  2⤵
  PID:1856
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppointmentApis.dll /A /R /D Y
  2⤵
  PID:5044
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppointmentApis.dll /grant /T /C
  2⤵
  PID:5152
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\appraiser.dll /A /R /D Y
  2⤵
  PID:4812
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\appraiser.dll /grant /T /C
  2⤵
  PID:4764
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppReadiness.dll /A /R /D Y
  2⤵
  PID:4804
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppReadiness.dll /grant /T /C
  2⤵
  PID:4876
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\apprepapi.dll /A /R /D Y
  2⤵
  PID:4748
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\apprepapi.dll /grant /T /C
  2⤵
  PID:4868
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppResolver.dll /A /R /D Y
  2⤵
  PID:4948
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppResolver.dll /grant /T /C
  2⤵
  PID:4856
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ApproveChildRequest.exe /A /R /D Y
  2⤵
  PID:4860
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ApproveChildRequest.exe /grant /T /C
  2⤵
  PID:4976
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\appsruprov.dll /A /R /D Y
  2⤵
  PID:4436
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\appsruprov.dll /grant /T /C
  2⤵
  PID:2956
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVCatalog.dll /A /R /D Y
  2⤵
  PID:5060
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVCatalog.dll /grant /T /C
  2⤵
  PID:5040
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVClient.exe /A /R /D Y
  2⤵
  PID:3872
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVClient.exe /grant /T /C
  2⤵
  PID:1200
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppvClientEventLog.dll /A /R /D Y
  2⤵
  PID:5968
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppvClientEventLog.dll /grant /T /C
  2⤵
  PID:3976
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVClientPS.dll /A /R /D Y
  2⤵
  PID:1952
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVClientPS.dll /grant /T /C
  2⤵
  PID:1684
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVDllSurrogate.exe /A /R /D Y
  2⤵
  PID:2856
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVDllSurrogate.exe /grant /T /C
  2⤵
  PID:5812
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVEntStreamingManager.dll /A /R /D Y
  2⤵
  PID:2972
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVEntStreamingManager.dll /grant /T /C
  2⤵
  PID:1152
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVEntSubsystemController.dll /A /R /D Y
  2⤵
  PID:5960
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVEntSubsystemController.dll /grant /T /C
  2⤵
  PID:3696
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVEntSubsystems64.dll /A /R /D Y
  2⤵
  PID:1224
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVEntSubsystems64.dll /grant /T /C
  2⤵
  PID:5848
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVEntVirtualization.dll /A /R /D Y
  2⤵
  PID:3136
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVEntVirtualization.dll /grant /T /C
  2⤵
  PID:3348
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\appvetwclientres.dll /A /R /D Y
  2⤵
  PID:4600
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\appvetwclientres.dll /grant /T /C
  2⤵
  PID:2504
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\appvetwsharedperformance.dll /A /R /D Y
  2⤵
  PID:4404
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\appvetwsharedperformance.dll /grant /T /C
  2⤵
  PID:980
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\appvetwstreamingux.dll /A /R /D Y
  2⤵
  PID:428
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\appvetwstreamingux.dll /grant /T /C
  2⤵
  PID:3648
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVFileSystemMetadata.dll /A /R /D Y
  2⤵
  PID:2404
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVFileSystemMetadata.dll /grant /T /C
  2⤵
  PID:460
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVIntegration.dll /A /R /D Y
  2⤵
  PID:5100
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVIntegration.dll /grant /T /C
  2⤵
  PID:2316
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVManifest.dll /A /R /D Y
  2⤵
  PID:3068
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVManifest.dll /grant /T /C
  2⤵
  PID:1932
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVNice.exe /A /R /D Y
  2⤵
  PID:4476
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVNice.exe /grant /T /C
  2⤵
  PID:5112
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVOrchestration.dll /A /R /D Y
  2⤵
  PID:3592
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVOrchestration.dll /grant /T /C
  2⤵
  PID:1860
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVPolicy.dll /A /R /D Y
  2⤵
  PID:3140
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVPolicy.dll /grant /T /C
  2⤵
  PID:232
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVPublishing.dll /A /R /D Y
  2⤵
  PID:2304
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVPublishing.dll /grant /T /C
  2⤵
  PID:4388
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVReporting.dll /A /R /D Y
  2⤵
  PID:3080
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVReporting.dll /grant /T /C
  2⤵
  PID:4784
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVScripting.dll /A /R /D Y
  2⤵
  PID:5640
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVScripting.dll /grant /T /C
  2⤵
  PID:5240
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVSentinel.dll /A /R /D Y
  2⤵
  - Possible privilege escalation attempt
  PID:5476
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVSentinel.dll /grant /T /C
  2⤵
  PID:3488
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVShNotify.exe /A /R /D Y
  2⤵
  PID:2176
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVShNotify.exe /grant /T /C
  2⤵
  PID:4468
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVStreamingUX.dll /A /R /D Y
  2⤵
  PID:2148
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVStreamingUX.dll /grant /T /C
  2⤵
  PID:2680
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVStreamMap.dll /A /R /D Y
  2⤵
  PID:3616
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVStreamMap.dll /grant /T /C
  2⤵
  PID:3372
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVTerminator.dll /A /R /D Y
  2⤵
  PID:532
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVTerminator.dll /grant /T /C
  2⤵
  PID:556
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\appwiz.cpl /A /R /D Y
  2⤵
  PID:5244
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\appwiz.cpl /grant /T /C
  2⤵
  PID:5772
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppxAllUserStore.dll /A /R /D Y
  2⤵
  PID:768
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppxAllUserStore.dll /grant /T /C
  2⤵
  PID:1300
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppXApplicabilityBlob.dll /A /R /D Y
  2⤵
  PID:3716
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppXApplicabilityBlob.dll /grant /T /C
  2⤵
  PID:1992
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppxApplicabilityEngine.dll /A /R /D Y
  2⤵
  PID:5836
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppxApplicabilityEngine.dll /grant /T /C
  2⤵
  PID:852
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppXDeploymentClient.dll /A /R /D Y
  2⤵
  PID:4224
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppXDeploymentClient.dll /grant /T /C
  2⤵
  PID:1836
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppXDeploymentExtensions.desktop.dll /A /R /D Y
  2⤵
  PID:6056
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppXDeploymentExtensions.desktop.dll /grant /T /C
  2⤵
  PID:5480
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppXDeploymentExtensions.onecore.dll /A /R /D Y
  2⤵
  PID:3904
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppXDeploymentExtensions.onecore.dll /grant /T /C
  2⤵
  PID:892
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppXDeploymentServer.dll /A /R /D Y
  2⤵
  PID:2824
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppXDeploymentServer.dll /grant /T /C
  2⤵
  PID:5336
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppxPackaging.dll /A /R /D Y
  2⤵
  - Possible privilege escalation attempt
  PID:1324
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppxPackaging.dll /grant /T /C
  2⤵
  PID:3116
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppxProvisioning.xml /A /R /D Y
  2⤵
  PID:2892
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppxProvisioning.xml /grant /T /C
  2⤵
  PID:1996
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppxSip.dll /A /R /D Y
  2⤵
  PID:1092
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppxSip.dll /grant /T /C
  2⤵
  PID:880
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppxStreamingDataSourcePS.dll /A /R /D Y
  2⤵
  PID:3548
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppxStreamingDataSourcePS.dll /grant /T /C
  2⤵
  PID:5056
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppxSysprep.dll /A /R /D Y
  2⤵
  PID:5692
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppxSysprep.dll /grant /T /C
  2⤵
  PID:3476
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\archiveint.dll /A /R /D Y
  2⤵
  PID:1372
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\archiveint.dll /grant /T /C
  2⤵
  PID:2864
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ARP.EXE /A /R /D Y
  2⤵
  PID:1156
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ARP.EXE /grant /T /C
  2⤵
  PID:1396
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\asferror.dll /A /R /D Y
  2⤵
  PID:1580
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\asferror.dll /grant /T /C
  2⤵
  PID:2120
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\aspnet_counters.dll /A /R /D Y
  2⤵
  PID:6108
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\aspnet_counters.dll /grant /T /C
  2⤵
  PID:3560
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AssignedAccessCsp.dll /A /R /D Y
  2⤵
  PID:1032
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AssignedAccessCsp.dll /grant /T /C
  2⤵
  PID:4068
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AssignedAccessGuard.exe /A /R /D Y
  2⤵
  PID:2712
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AssignedAccessGuard.exe /grant /T /C
  2⤵
  PID:6140
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AssignedAccessManager.dll /A /R /D Y
  2⤵
  PID:5496
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AssignedAccessManager.dll /grant /T /C
  2⤵
  PID:4576
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\assignedaccessmanagersvc.dll /A /R /D Y
  2⤵
  PID:3092
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\assignedaccessmanagersvc.dll /grant /T /C
  2⤵
  PID:3128
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\assignedaccessproviderevents.dll /A /R /D Y
  2⤵
  PID:5432
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\assignedaccessproviderevents.dll /grant /T /C
  2⤵
  PID:2288
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AssignedAccessRuntime.dll /A /R /D Y
  2⤵
  PID:5956
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AssignedAccessRuntime.dll /grant /T /C
  2⤵
  PID:908
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AssignedAccessShellProxy.dll /A /R /D Y
  2⤵
  PID:2828
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AssignedAccessShellProxy.dll /grant /T /C
  2⤵
  PID:4672
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\asycfilt.dll /A /R /D Y
  2⤵
  PID:640
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\asycfilt.dll /grant /T /C
  2⤵
  PID:3720
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\at.exe /A /R /D Y
  2⤵
  PID:5768
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\at.exe /grant /T /C
  2⤵
  PID:5444
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AtBroker.exe /A /R /D Y
  2⤵
  PID:5944
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AtBroker.exe /grant /T /C
  2⤵
  PID:3020
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\atl.dll /A /R /D Y
  2⤵
  PID:3452
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\atl.dll /grant /T /C
  2⤵
  PID:4448
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\atl100.dll /A /R /D Y
  2⤵
  PID:1564
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\atl100.dll /grant /T /C
  2⤵
  PID:1212
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\atl110.dll /A /R /D Y
  2⤵
  PID:1492
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\atl110.dll /grant /T /C
  2⤵
  PID:4616
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\atlthunk.dll /A /R /D Y
  2⤵
  PID:3408
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\atlthunk.dll /grant /T /C
  2⤵
  PID:3572
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\atmlib.dll /A /R /D Y
  2⤵
  PID:2788
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\atmlib.dll /grant /T /C
  2⤵
  PID:1808
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\attrib.exe /A /R /D Y
  2⤵
  PID:944
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\attrib.exe /grant /T /C
  2⤵
  PID:2752
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\audiodg.exe /A /R /D Y
  2⤵
  PID:3724
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\audiodg.exe /grant /T /C
  2⤵
  PID:5596
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AudioEndpointBuilder.dll /A /R /D Y
  2⤵
  PID:3588
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AudioEndpointBuilder.dll /grant /T /C
  2⤵
  PID:2104
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AudioEng.dll /A /R /D Y
  2⤵
  PID:2784
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AudioEng.dll /grant /T /C
  2⤵
  PID:4076
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AudioHandlers.dll /A /R /D Y
  2⤵
  PID:3056
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AudioHandlers.dll /grant /T /C
  2⤵
  PID:1892
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AUDIOKSE.dll /A /R /D Y
  2⤵
  PID:664
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AUDIOKSE.dll /grant /T /C
  2⤵
  PID:3084
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\audioresourceregistrar.dll /A /R /D Y
  2⤵
  PID:1244
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\audioresourceregistrar.dll /grant /T /C
  2⤵
  PID:2424
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AudioSes.dll /A /R /D Y
  2⤵
  PID:2092
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AudioSes.dll /grant /T /C
  2⤵
  PID:5508
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\audiosrv.dll /A /R /D Y
  2⤵
  PID:4984
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\audiosrv.dll /grant /T /C
  2⤵
  PID:5940
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AudioSrvPolicyManager.dll /A /R /D Y
  2⤵
  PID:1816
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AudioSrvPolicyManager.dll /grant /T /C
  2⤵
  PID:1864
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\auditcse.dll /A /R /D Y
  2⤵
  PID:920
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\auditcse.dll /grant /T /C
  2⤵
  PID:200
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AuditNativeSnapIn.dll /A /R /D Y
  2⤵
  PID:1220
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AuditNativeSnapIn.dll /grant /T /C
  2⤵
  PID:1144
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\auditpol.exe /A /R /D Y
  2⤵
  PID:5484
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\auditpol.exe /grant /T /C
  2⤵
  PID:5604
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\auditpolcore.dll /A /R /D Y
  2⤵
  PID:5536
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\auditpolcore.dll /grant /T /C
  2⤵
  PID:2580
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AuditPolicyGPInterop.dll /A /R /D Y
  2⤵
  PID:5572
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AuditPolicyGPInterop.dll /grant /T /C
  2⤵
  PID:2544
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\auditpolmsg.dll /A /R /D Y
  2⤵
  PID:5716
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\auditpolmsg.dll /grant /T /C
  2⤵
  PID:3016
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AuthBroker.dll /A /R /D Y
  2⤵
  PID:2768
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AuthBroker.dll /grant /T /C
  2⤵
  PID:3288
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AuthBrokerUI.dll /A /R /D Y
  2⤵
  PID:2340
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AuthBrokerUI.dll /grant /T /C
  2⤵
  PID:2564
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\authentication.dll /A /R /D Y
  2⤵
  PID:2840
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\authentication.dll /grant /T /C
  2⤵
  PID:960
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AuthExt.dll /A /R /D Y
  2⤵
  PID:5188
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AuthExt.dll /grant /T /C
  2⤵
  PID:5212
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\authfwcfg.dll /A /R /D Y
  2⤵
  PID:4656
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\authfwcfg.dll /grant /T /C
  2⤵
  PID:1680
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AuthFWGP.dll /A /R /D Y
  2⤵
  PID:4248
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AuthFWGP.dll /grant /T /C
  2⤵
  PID:1340
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AuthFWSnapin.dll /A /R /D Y
  2⤵
  PID:3124
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AuthFWSnapin.dll /grant /T /C
  2⤵
  PID:4380
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AuthFWWizFwk.dll /A /R /D Y
  2⤵
  PID:3088
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AuthFWWizFwk.dll /grant /T /C
  2⤵
  PID:2576
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AuthHost.exe /A /R /D Y
  2⤵
  PID:5780
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AuthHost.exe /grant /T /C
  2⤵
  PID:1972
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AuthHostProxy.dll /A /R /D Y
  2⤵
  PID:224
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AuthHostProxy.dll /grant /T /C
  2⤵
  PID:4036
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\authui.dll /A /R /D Y
  2⤵
  PID:5380
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\authui.dll /grant /T /C
  2⤵
  PID:4140
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\authz.dll /A /R /D Y
  2⤵
  PID:3328
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\authz.dll /grant /T /C
  2⤵
  PID:4300
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\autochk.exe /A /R /D Y
  2⤵
  PID:4696
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\autochk.exe /grant /T /C
  2⤵
  PID:4772
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\autopilot.dll /A /R /D Y
  2⤵
  PID:4828
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\autopilot.dll /grant /T /C
  2⤵
  PID:4956
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\autopilotdiag.dll /A /R /D Y
  2⤵
  PID:4844
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\autopilotdiag.dll /grant /T /C
  2⤵
  PID:4964
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\autoplay.dll /A /R /D Y
  2⤵
  PID:4960
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\autoplay.dll /grant /T /C
  2⤵
  PID:5292
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\autotimesvc.dll /A /R /D Y
  2⤵
  PID:4968
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\autotimesvc.dll /grant /T /C
  2⤵
  PID:5032
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AverageRoom.bin /A /R /D Y
  2⤵
  PID:4988
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AverageRoom.bin /grant /T /C
  2⤵
  PID:4848
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\avicap32.dll /A /R /D Y
  2⤵
  PID:5232
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\avicap32.dll /grant /T /C
  2⤵
  PID:2548
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\avifil32.dll /A /R /D Y
  2⤵
  PID:3272
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\avifil32.dll /grant /T /C
  2⤵
  PID:5912
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\avrt.dll /A /R /D Y
  2⤵
  PID:3792
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\avrt.dll /grant /T /C
  2⤵
  PID:1108
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AxInstSv.dll /A /R /D Y
  2⤵
  PID:572
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AxInstSv.dll /grant /T /C
  2⤵
  PID:3448
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AxInstUI.exe /A /R /D Y
  2⤵
  PID:4852
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AxInstUI.exe /grant /T /C
  2⤵
  PID:4620
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\azman.msc /A /R /D Y
  2⤵
  PID:2232
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\azman.msc /grant /T /C
  2⤵
  PID:2468
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\azroles.dll /A /R /D Y
  2⤵
  PID:4192
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\azroles.dll /grant /T /C
  2⤵
  PID:4048
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\azroleui.dll /A /R /D Y
  2⤵
  PID:3844
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\azroleui.dll /grant /T /C
  2⤵
  PID:4108
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AzSqlExt.dll /A /R /D Y
  2⤵
  PID:5564
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AzSqlExt.dll /grant /T /C
  2⤵
  PID:3968
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AzureAttest.dll /A /R /D Y
  2⤵
  PID:448
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AzureAttest.dll /grant /T /C
  2⤵
  PID:2816
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AzureAttestManager.dll /A /R /D Y
  2⤵
  PID:2312
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AzureAttestManager.dll /grant /T /C
  2⤵
  PID:2416
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AzureAttestNormal.dll /A /R /D Y
  2⤵
  PID:8
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AzureAttestNormal.dll /grant /T /C
  2⤵
  PID:2396
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\baaupdate.exe /A /R /D Y
  2⤵
  PID:5680
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\baaupdate.exe /grant /T /C
  2⤵
  PID:1380
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BackgroundMediaPolicy.dll /A /R /D Y
  2⤵
  PID:744
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BackgroundMediaPolicy.dll /grant /T /C
  2⤵
  PID:472
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\backgroundTaskHost.exe /A /R /D Y
  2⤵
  PID:4588
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\backgroundTaskHost.exe /grant /T /C
  2⤵
  PID:5884
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BackgroundTransferHost.exe /A /R /D Y
  2⤵
  PID:3756
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BackgroundTransferHost.exe /grant /T /C
  2⤵
  PID:2744
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BamSettingsClient.dll /A /R /D Y
  2⤵
  PID:6044
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BamSettingsClient.dll /grant /T /C
  2⤵
  PID:4332
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BarcodeProvisioningPlugin.dll /A /R /D Y
  2⤵
  PID:1516
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BarcodeProvisioningPlugin.dll /grant /T /C
  2⤵
  PID:236
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\basecsp.dll /A /R /D Y
  2⤵
  PID:2728
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\basecsp.dll /grant /T /C
  2⤵
  PID:3052
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\basesrv.dll /A /R /D Y
  2⤵
  PID:3080
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\basesrv.dll /grant /T /C
  2⤵
  PID:2356
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\batmeter.dll /A /R /D Y
  2⤵
  PID:5900
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\batmeter.dll /grant /T /C
  2⤵
  PID:2280
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bcastdvr.proxy.dll /A /R /D Y
  2⤵
  PID:5864
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bcastdvr.proxy.dll /grant /T /C
  2⤵
  PID:3132
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BcastDVRBroker.dll /A /R /D Y
  2⤵
  PID:2248
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BcastDVRBroker.dll /grant /T /C
  2⤵
  PID:2160
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BcastDVRClient.dll /A /R /D Y
  2⤵
  PID:5096
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BcastDVRClient.dll /grant /T /C
  2⤵
  PID:5724
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BcastDVRCommon.dll /A /R /D Y
  2⤵
  PID:3432
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BcastDVRCommon.dll /grant /T /C
  2⤵
  PID:2180
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bcastdvruserservice.dll /A /R /D Y
  2⤵
  PID:4260
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bcastdvruserservice.dll /grant /T /C
  2⤵
  PID:5156
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bcd.dll /A /R /D Y
  2⤵
  PID:2088
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bcd.dll /grant /T /C
  2⤵
  PID:5296
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bcdboot.exe /A /R /D Y
  2⤵
  PID:6040
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bcdboot.exe /grant /T /C
  2⤵
  PID:5076
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bcdedit.exe /A /R /D Y
  2⤵
  PID:6032
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bcdedit.exe /grant /T /C
  2⤵
  PID:2708
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bcdprov.dll /A /R /D Y
  2⤵
  PID:2376
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bcdprov.dll /grant /T /C
  2⤵
  PID:3096
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bcdsrv.dll /A /R /D Y
  2⤵
  PID:5612
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bcdsrv.dll /grant /T /C
  2⤵
  PID:5312
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BCP47Langs.dll /A /R /D Y
  2⤵
  PID:824
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BCP47Langs.dll /grant /T /C
  2⤵
  PID:4412
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BCP47mrm.dll /A /R /D Y
  2⤵
  PID:4572
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BCP47mrm.dll /grant /T /C
  2⤵
  PID:1708
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bcrypt.dll /A /R /D Y
  2⤵
  PID:4452
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bcrypt.dll /grant /T /C
  2⤵
  PID:4124
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bcryptprimitives.dll /A /R /D Y
  2⤵
  PID:1288
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bcryptprimitives.dll /grant /T /C
  2⤵
  PID:5832
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bdaplgin.ax /A /R /D Y
  2⤵
  PID:5244
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bdaplgin.ax /grant /T /C
  2⤵
  PID:3896
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bdechangepin.exe /A /R /D Y
  2⤵
  PID:4992
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bdechangepin.exe /grant /T /C
  2⤵
  PID:6052
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BdeHdCfg.exe /A /R /D Y
  2⤵
  PID:2892
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BdeHdCfg.exe /grant /T /C
  2⤵
  PID:4944
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BdeHdCfgLib.dll /A /R /D Y
  2⤵
  PID:3548
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BdeHdCfgLib.dll /grant /T /C
  2⤵
  PID:4312
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bderepair.dll /A /R /D Y
  2⤵
  PID:2800
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bderepair.dll /grant /T /C
  2⤵
  PID:4336
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bdesvc.dll /A /R /D Y
  2⤵
  PID:5692
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bdesvc.dll /grant /T /C
  2⤵
  PID:432
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BdeSysprep.dll /A /R /D Y
  2⤵
  PID:1156
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BdeSysprep.dll /grant /T /C
  2⤵
  PID:1752
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bdeui.dll /A /R /D Y
  2⤵
  PID:3120
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bdeui.dll /grant /T /C
  2⤵
  PID:5700
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BdeUISrv.exe /A /R /D Y
  2⤵
  PID:3144
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BdeUISrv.exe /grant /T /C
  2⤵
  PID:4892
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bdeunlock.exe /A /R /D Y
  2⤵
  PID:1580
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bdeunlock.exe /grant /T /C
  2⤵
  PID:748
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BFE.DLL /A /R /D Y
  2⤵
  PID:2836
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BFE.DLL /grant /T /C
  2⤵
  PID:2240
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bi.dll /A /R /D Y
  2⤵
  PID:4668
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bi.dll /grant /T /C
  2⤵
  PID:2324
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bidispl.dll /A /R /D Y
  2⤵
  PID:1636
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bidispl.dll /grant /T /C
  2⤵
  PID:4072
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bindfltapi.dll /A /R /D Y
  2⤵
  PID:5412
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bindfltapi.dll /grant /T /C
  2⤵
  PID:3040
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BingASDS.dll /A /R /D Y
  2⤵
  PID:6072
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BingASDS.dll /grant /T /C
  2⤵
  PID:5124
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BingFilterDS.dll /A /R /D Y
  2⤵
  PID:2712
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BingFilterDS.dll /grant /T /C
  2⤵
  - Possible privilege escalation attempt
  PID:6096
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BingMaps.dll /A /R /D Y
  2⤵
  PID:640
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BingMaps.dll /grant /T /C
  2⤵
  PID:5176
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BingOnlineServices.dll /A /R /D Y
  2⤵
  PID:5768
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BingOnlineServices.dll /grant /T /C
  2⤵
  PID:3400
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BioCredProv.dll /A /R /D Y
  2⤵
  PID:1948
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BioCredProv.dll /grant /T /C
  2⤵
  PID:5796
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BioIso.exe /A /R /D Y
  2⤵
  PID:5944
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BioIso.exe /grant /T /C
  2⤵
  PID:2876
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bisrv.dll /A /R /D Y
  2⤵
  PID:1564
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bisrv.dll /grant /T /C
  2⤵
  PID:476
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BitLockerCsp.dll /A /R /D Y
  2⤵
  PID:1492
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BitLockerCsp.dll /grant /T /C
  2⤵
  PID:1900
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BitLockerDeviceEncryption.exe /A /R /D Y
  2⤵
  PID:3408
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BitLockerDeviceEncryption.exe /grant /T /C
  2⤵
  PID:1072
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BitLockerWizard.exe /A /R /D Y
  2⤵
  PID:3064
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BitLockerWizard.exe /grant /T /C
  2⤵
  PID:828
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BitLockerWizardElev.exe /A /R /D Y
  2⤵
  PID:2704
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BitLockerWizardElev.exe /grant /T /C
  2⤵
  PID:2572
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bitsadmin.exe /A /R /D Y
  2⤵
  PID:5016
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bitsadmin.exe /grant /T /C
  2⤵
  PID:2220
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bitsigd.dll /A /R /D Y
  2⤵
  PID:2380
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bitsigd.dll /grant /T /C
  2⤵
  PID:3576
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bitsperf.dll /A /R /D Y
  2⤵
  PID:2788
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bitsperf.dll /grant /T /C
  2⤵
  PID:2268
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BitsProxy.dll /A /R /D Y
  2⤵
  PID:1468
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BitsProxy.dll /grant /T /C
  2⤵
  PID:5720
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\biwinrt.dll /A /R /D Y
  2⤵
  PID:3580
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\biwinrt.dll /grant /T /C
  2⤵
  PID:3076
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BlbEvents.dll /A /R /D Y
  2⤵
  PID:2224
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BlbEvents.dll /grant /T /C
  2⤵
  PID:5068
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\blbres.dll /A /R /D Y
  2⤵
  PID:588
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\blbres.dll /grant /T /C
  2⤵
  PID:384
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\blb_ps.dll /A /R /D Y
  2⤵
  PID:5740
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\blb_ps.dll /grant /T /C
  2⤵
  PID:4984
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BluetoothApis.dll /A /R /D Y
  2⤵
  PID:3736
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BluetoothApis.dll /grant /T /C
  2⤵
  PID:2684
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BluetoothDesktopHandlers.dll /A /R /D Y
  2⤵
  - Modifies file permissions
  PID:552
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BluetoothDesktopHandlers.dll /grant /T /C
  2⤵
  PID:1476
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BluetoothPairingSystemToastIcon.contrast-black.png /A /R /D Y
  2⤵
  PID:5516
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BluetoothPairingSystemToastIcon.contrast-black.png /grant /T /C
  2⤵
  PID:5576
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BluetoothPairingSystemToastIcon.contrast-high.png /A /R /D Y
  2⤵
  PID:5484
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BluetoothPairingSystemToastIcon.contrast-high.png /grant /T /C
  2⤵
  PID:5736
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BluetoothPairingSystemToastIcon.contrast-white.png /A /R /D Y
  2⤵
  PID:5536
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BluetoothPairingSystemToastIcon.contrast-white.png /grant /T /C
  2⤵
  PID:2904
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BluetoothPairingSystemToastIcon.png /A /R /D Y
  2⤵
  PID:5572
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BluetoothPairingSystemToastIcon.png /grant /T /C
  2⤵
  PID:3112
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BluetoothSystemToastIcon.contrast-white.png /A /R /D Y
  2⤵
  PID:5688
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BluetoothSystemToastIcon.contrast-white.png /grant /T /C
  2⤵
  PID:5532
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BluetoothSystemToastIcon.png /A /R /D Y
  2⤵
  PID:5560
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BluetoothSystemToastIcon.png /grant /T /C
  2⤵
  PID:3660
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bnmanager.dll /A /R /D Y
  2⤵
  PID:5716
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bnmanager.dll /grant /T /C
  2⤵
  PID:4900
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\boot.sdi /A /R /D Y
  2⤵
  PID:4644
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\boot.sdi /grant /T /C
  2⤵
  PID:3388
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bootim.exe /A /R /D Y
  2⤵
  PID:2840
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bootim.exe /grant /T /C
  2⤵
  PID:2532
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BootMenuUX.dll /A /R /D Y
  2⤵
  PID:992
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BootMenuUX.dll /grant /T /C
  2⤵
  PID:4864
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bootsect.exe /A /R /D Y
  2⤵
  PID:4656
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bootsect.exe /grant /T /C
  2⤵
  PID:5084
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bootstr.dll /A /R /D Y
  2⤵
  PID:2944
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bootstr.dll /grant /T /C
  2⤵
  PID:3828
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bootsvc.dll /A /R /D Y
  2⤵
  PID:4032
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bootsvc.dll /grant /T /C
  2⤵
  PID:5856
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bootux.dll /A /R /D Y
  2⤵
  PID:4564
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bootux.dll /grant /T /C
  2⤵
  PID:5872
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BOOTVID.DLL /A /R /D Y
  2⤵
  PID:1600
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BOOTVID.DLL /grant /T /C
  2⤵
  PID:5804
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bopomofo.uce /A /R /D Y
  2⤵
  PID:4820
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bopomofo.uce /grant /T /C
  2⤵
  PID:4768
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bridgeres.dll /A /R /D Y
  2⤵
  PID:4816
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bridgeres.dll /grant /T /C
  2⤵
  PID:4932
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bridgeunattend.exe /A /R /D Y
  2⤵
  PID:4780
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bridgeunattend.exe /grant /T /C
  2⤵
  PID:3956
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BrokerLib.dll /A /R /D Y
  2⤵
  PID:4836
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BrokerLib.dll /grant /T /C
  2⤵
  PID:4880
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\browcli.dll /A /R /D Y
  2⤵
  PID:4940
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\browcli.dll /grant /T /C
  2⤵
  PID:4924
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\browserbroker.dll /A /R /D Y
  2⤵
  PID:3252
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\browserbroker.dll /grant /T /C
  2⤵
  PID:4976
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\browserexport.exe /A /R /D Y
  2⤵
  PID:4996
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\browserexport.exe /grant /T /C
  2⤵
  PID:4436
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\browser_broker.exe /A /R /D Y
  2⤵
  PID:5048
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\browser_broker.exe /grant /T /C
  2⤵
  PID:5040
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\browseui.dll /A /R /D Y
  2⤵
  - Modifies file permissions
  PID:3464
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\browseui.dll /grant /T /C
  2⤵
  PID:1200
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BTAGService.dll /A /R /D Y
  2⤵
  PID:5332
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BTAGService.dll /grant /T /C
  2⤵
  PID:1108
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BthAvctpSvc.dll /A /R /D Y
  2⤵
  PID:4240
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BthAvctpSvc.dll /grant /T /C
  2⤵
  PID:1684
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BthAvrcp.dll /A /R /D Y
  2⤵
  PID:1664
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BthAvrcp.dll /grant /T /C
  2⤵
  PID:5812
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BthAvrcpAppSvc.dll /A /R /D Y
  2⤵
  PID:2972
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BthAvrcpAppSvc.dll /grant /T /C
  2⤵
  PID:1152
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bthci.dll /A /R /D Y
  2⤵
  PID:3456
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bthci.dll /grant /T /C
  2⤵
  PID:3696
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BthMtpContextHandler.dll /A /R /D Y
  2⤵
  PID:1560
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BthMtpContextHandler.dll /grant /T /C
  2⤵
  PID:5848
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bthpanapi.dll /A /R /D Y
  2⤵
  PID:3136
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bthpanapi.dll /grant /T /C
  2⤵
  PID:3348
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BthpanContextHandler.dll /A /R /D Y
  2⤵
  PID:4600
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BthpanContextHandler.dll /grant /T /C
  2⤵
  PID:2504
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bthprops.cpl /A /R /D Y
  2⤵
  PID:4404
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bthprops.cpl /grant /T /C
  2⤵
  PID:2500
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BthRadioMedia.dll /A /R /D Y
  2⤵
  PID:428
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BthRadioMedia.dll /grant /T /C
  2⤵
  PID:2420
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bthserv.dll /A /R /D Y
  2⤵
  - Possible privilege escalation attempt
  PID:2404
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bthserv.dll /grant /T /C
  2⤵
  PID:3508
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BthTelemetry.dll /A /R /D Y
  2⤵
  PID:4756
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BthTelemetry.dll /grant /T /C
  2⤵
  PID:2316
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bthudtask.exe /A /R /D Y
  2⤵
  PID:3068
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bthudtask.exe /grant /T /C
  2⤵
  PID:5876
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\btpanui.dll /A /R /D Y
  2⤵
  PID:4476
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\btpanui.dll /grant /T /C
  2⤵
  PID:4396
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Bubbles.scr /A /R /D Y
  2⤵
  PID:3592
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Bubbles.scr /grant /T /C
  2⤵
  PID:1860
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BWContextHandler.dll /A /R /D Y
  2⤵
  PID:2328
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BWContextHandler.dll /grant /T /C
  2⤵
  PID:236
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ByteCodeGenerator.exe /A /R /D Y
  2⤵
  PID:2352
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ByteCodeGenerator.exe /grant /T /C
  2⤵
  PID:560
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\cabapi.dll /A /R /D Y
  2⤵
  PID:1416
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\cabapi.dll /grant /T /C
  2⤵
  PID:4352
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\cabinet.dll /A /R /D Y
  2⤵
  PID:5900
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\cabinet.dll /grant /T /C
  2⤵
  PID:2156
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\cabview.dll /A /R /D Y
  2⤵
  PID:5476
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\cabview.dll /grant /T /C
  2⤵
  PID:3488
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\cacls.exe /A /R /D Y
  2⤵
  PID:2496
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\cacls.exe /grant /T /C
  2⤵
  PID:2248
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\calc.exe /A /R /D Y
  2⤵
  PID:2444
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\calc.exe /grant /T /C
  2⤵
  PID:5096
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\CallButtons.dll /A /R /D Y
  2⤵
  PID:1604
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\CallButtons.dll /grant /T /C
  2⤵
  PID:1720
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\CallButtons.ProxyStub.dll /A /R /D Y
  2⤵
  PID:4260
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\CallButtons.ProxyStub.dll /grant /T /C
  2⤵
  PID:5156
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\CallHistoryClient.dll /A /R /D Y
  2⤵
  PID:2088
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\CallHistoryClient.dll /grant /T /C
  2⤵
  PID:5296
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\CameraCaptureUI.dll /A /R /D Y
  2⤵
  PID:1300
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\CameraCaptureUI.dll /grant /T /C
  2⤵
  PID:3716
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\CameraSettingsUIHost.exe /A /R /D Y
  2⤵
  PID:1992
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\CameraSettingsUIHost.exe /grant /T /C
  2⤵
  PID:5836
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\CapabilityAccessHandlers.dll /A /R /D Y
  2⤵
  - Modifies file permissions
  PID:1420
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\CapabilityAccessHandlers.dll /grant /T /C
  2⤵
  PID:4224
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\CapabilityAccessManager.dll /A /R /D Y
  2⤵
  PID:1836
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\CapabilityAccessManager.dll /grant /T /C
  2⤵
  PID:6056
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\CapabilityAccessManagerClient.dll /A /R /D Y
  2⤵
  PID:5480
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\CapabilityAccessManagerClient.dll /grant /T /C
  2⤵
  PID:3904
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\capauthz.dll /A /R /D Y
  2⤵
  PID:892
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\capauthz.dll /grant /T /C
  2⤵
  PID:2824
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\capiprovider.dll /A /R /D Y
  2⤵
  PID:4264
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\capiprovider.dll /grant /T /C
  2⤵
  - Modifies file permissions
  PID:1324
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\capisp.dll /A /R /D Y
  2⤵
  PID:5228
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\capisp.dll /grant /T /C
  2⤵
  PID:5612
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\CaptureService.dll /A /R /D Y
  2⤵
  PID:2052
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\CaptureService.dll /grant /T /C
  2⤵
  PID:3824
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\CastingShellExt.dll /A /R /D Y
  2⤵
  PID:5696
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\CastingShellExt.dll /grant /T /C
  2⤵
  PID:4992
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\CastLaunch.dll /A /R /D Y
  2⤵
  PID:5652
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\CastLaunch.dll /grant /T /C
  2⤵
  PID:2892
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\CastSrv.exe /A /R /D Y
  2⤵
  PID:3476
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\CastSrv.exe /grant /T /C
  2⤵
  PID:1372
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\catsrv.dll /A /R /D Y
  2⤵
  PID:4496
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\catsrv.dll /grant /T /C
  2⤵
  PID:5820
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\catsrvps.dll /A /R /D Y
  2⤵
  PID:2100
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\catsrvps.dll /grant /T /C
  2⤵
  PID:3548
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\catsrvut.dll /A /R /D Y
  2⤵
  PID:1376
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\catsrvut.dll /grant /T /C
  2⤵
  PID:6108
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\CBDHSvc.dll /A /R /D Y
  2⤵
  PID:5708
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\CBDHSvc.dll /grant /T /C
  2⤵
  PID:1156
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\cca.dll /A /R /D Y
  2⤵
  PID:6012
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\cca.dll /grant /T /C
  2⤵
  PID:3144
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\cdd.dll /A /R /D Y
  2⤵
  PID:1176
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\cdd.dll /grant /T /C
  2⤵
  PID:5896
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\cdosys.dll /A /R /D Y
  2⤵
  PID:5088
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\cdosys.dll /grant /T /C
  2⤵
  PID:3092
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\cdp.dll /A /R /D Y
  2⤵
  PID:3128
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\cdp.dll /grant /T /C
  2⤵
  PID:1172
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\cdprt.dll /A /R /D Y
  2⤵
  PID:1620
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\cdprt.dll /grant /T /C
  2⤵
  PID:5956
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\cdpsvc.dll /A /R /D Y
  2⤵
  PID:908
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\cdpsvc.dll /grant /T /C
  2⤵
  PID:2828
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\cdpusersvc.dll /A /R /D Y
  2⤵
  PID:1660
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\cdpusersvc.dll /grant /T /C
  2⤵
  PID:1636
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\cellulardatacapabilityhandler.dll /A /R /D Y
  2⤵
  PID:5376
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\cellulardatacapabilityhandler.dll /grant /T /C
  2⤵
  PID:2712
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\cemapi.dll /A /R /D Y
  2⤵
  PID:1544
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\cemapi.dll /grant /T /C
  2⤵
  PID:640
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\cero.rs /A /R /D Y
  2⤵
  PID:3020
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\cero.rs /grant /T /C
  2⤵
  PID:2392
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\certca.dll /A /R /D Y
  2⤵
  PID:1368
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\certca.dll /grant /T /C
  2⤵
  PID:2412
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\certcli.dll /A /R /D Y
  2⤵
  PID:2016
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\certcli.dll /grant /T /C
  2⤵
  PID:376
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\certCredProvider.dll /A /R /D Y
  2⤵
  PID:4616
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\certCredProvider.dll /grant /T /C
  2⤵
  PID:4724
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\certenc.dll /A /R /D Y
  2⤵
  PID:5204
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\certenc.dll /grant /T /C
  2⤵
  PID:3876
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\CertEnroll.dll /A /R /D Y
  2⤵
  PID:1808
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\CertEnroll.dll /grant /T /C
  2⤵
  PID:944
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\CertEnrollCtrl.exe /A /R /D Y
  2⤵
  PID:3360
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\CertEnrollCtrl.exe /grant /T /C
  2⤵
  PID:2752
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\CertEnrollUI.dll /A /R /D Y
  2⤵
  PID:4184
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\CertEnrollUI.dll /grant /T /C
  2⤵
  PID:3588
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\certlm.msc /A /R /D Y
  2⤵
  PID:2772
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\certlm.msc /grant /T /C
  2⤵
  PID:2104
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\certmgr.dll /A /R /D Y
  2⤵
  PID:4688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Print Processors

T1547.012

Power Settings

T1653

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Print Processors

T1547.012

Defense Evasion

File and Directory Permissions Modification

T1222

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Indirect Command Execution

T1202

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bxc24grt.bah.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/6080-0-0x00007FFE7D133000-0x00007FFE7D135000-memory.dmp

Filesize
8KB

Download
memory/6080-9-0x0000013AAFCF0000-0x0000013AAFD12000-memory.dmp

Filesize
136KB

Download
memory/6080-10-0x00007FFE7D130000-0x00007FFE7DBF2000-memory.dmp

Filesize
10.8MB

Download
memory/6080-11-0x00007FFE7D130000-0x00007FFE7DBF2000-memory.dmp

Filesize
10.8MB

Download
memory/6080-12-0x00007FFE7D130000-0x00007FFE7DBF2000-memory.dmp

Filesize
10.8MB

Download
memory/6080-13-0x00007FFE7D130000-0x00007FFE7DBF2000-memory.dmp

Filesize
10.8MB

Download
memory/6080-14-0x00007FFE7D133000-0x00007FFE7D135000-memory.dmp

Filesize
8KB

Download
memory/6080-15-0x00007FFE7D130000-0x00007FFE7DBF2000-memory.dmp

Filesize
10.8MB

Download