6f84b7ce7b930120199800d0ff1feecfd33ab0c94e974528745ef90a3e96db2c

Analysis

max time kernel
570s
max time network
447s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
02/04/2025, 06:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

philerbum.ps1
Size

236B
MD5

4872578532f7050afd655766822ee818
SHA1

feff9ef8492c31905b03407a451de67ee5d6b6db
SHA256

6f84b7ce7b930120199800d0ff1feecfd33ab0c94e974528745ef90a3e96db2c
SHA512

770f1fd5e5bebb5ff94e9bac493b1a2900e95f4becce65b66ed7ba507aa145d88e780bc5927822a8e787aa917727e1e68f103400ca6cb67f67bcbda14b1bcee0

Score

8^/10

defense_evasion discovery execution exploit persistence

Malware Config

Signatures

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\UMDF\en-US\Microsoft.Bluetooth.Profiles.HidOverGatt.dll.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\amdi2c.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\usbhub.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\en-US\ndisuio.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\pnpmem.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\mountmgr.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\ndisuio.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\gpuenergydrv.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\ws2ifsl.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\tsusbflt.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\fr-FR\WUDFUsbccidDriver.dll.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\BTHUSB.SYS.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\dxgkrnl.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\rhproxy.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\sdbus.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\en-US\usbstor.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\mcd.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\Microsoft.Bluetooth.Legacy.LEEnumerator.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\UcmUcsiAcpiClient.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\vwififlt.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\dumpsd.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\qwavedrv.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\en-US\idtsec.dll.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\HdAudio.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\serenum.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\cdrom.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\USBHUB3.SYS.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\cxwmbclass.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\rootmdm.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\volmgrx.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\MTConfig.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\de-DE\wpdmtpdr.dll.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\rmcast.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\sisraid2.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\mrxsmb.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\en-US\refs.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\smbdirect.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\fr-FR\wpdmtpdr.dll.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\flpydisk.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\WdiWiFi.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\winhvr.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\http.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\uk-UA\bthenum.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\fs_rec.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\IndirectKmd.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\processr.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\bthenum.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\wof.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\ndistapi.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\watchdog.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\en-US\ataport.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\fr-FR\SensorsCx.dll.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\it-IT\idtsec.dll.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\scmbus.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\scfilter.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\netvsc.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\en-US\tsusbhub.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\winnat.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\vmstorfl.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\USBCAMD2.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\battc.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\ntfs.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\en-US\volsnap.sys.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\disk.sys.mui	PowerShell.exe

Manipulates Digital Signatures 2 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll	PowerShell.exe
File opened for modification	C:\Windows\System32\wintrust.dll	PowerShell.exe

Possible privilege escalation attempt 64 IoCs

exploit

pid	Process
3296	Process not Found
2368	Process not Found
4232	Process not Found
488	Process not Found
4928	Process not Found
2968	Process not Found
5932	Process not Found
1092	Process not Found
5388	Process not Found
5084	Process not Found
1168	Process not Found
5964	Process not Found
928	Process not Found
5180	Process not Found
4820	Process not Found
4668	Process not Found
2204	Process not Found
4140	icacls.exe
3264	icacls.exe
2060	Process not Found
1532	Process not Found
1628	Process not Found
5000	Process not Found
3004	Process not Found
1044	Process not Found
5124	takeown.exe
5392	icacls.exe
5896	Process not Found
5680	Process not Found
5936	Process not Found
2088	Process not Found
776	Process not Found
2824	Process not Found
4212	Process not Found
3788	Process not Found
2100	Process not Found
3604	Process not Found
756	Process not Found
6032	Process not Found
5756	Process not Found
2892	Process not Found
5132	Process not Found
6032	Process not Found
928	Process not Found
1456	Process not Found
4924	Process not Found
3312	Process not Found
1692	Process not Found
4512	Process not Found
5736	Process not Found
2996	Process not Found
5268	Process not Found
1396	Process not Found
752	Process not Found
5324	Process not Found
3448	Process not Found
932	Process not Found
1084	Process not Found
5912	Process not Found
4012	Process not Found
3084	Process not Found
952	Process not Found
5276	Process not Found
2744	Process not Found

Boot or Logon Autostart Execution: Print Processors 1 TTPs 1 IoCs

Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

persistence

Print Processors

T1547.012

description	ioc	Process
File opened for modification	C:\Windows\System32\spool\prtprocs\x64\winprint.dll	PowerShell.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 64 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4LogonTasksChannel.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsBackup%4ActionCenter.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Security.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Admin.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-TenantRestrictions%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppReadiness%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Application.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Provisioning-Diagnostics-Provider%4Admin.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\HardwareEvents.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-PnP%4Driver Watchdog.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBClient%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Key Management Service.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Inventory.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageManagement%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-WinRM%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Biometrics%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-VDRVROOT%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-ConnectedAccountState%4ActionCenter.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Connectivity.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Audit.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppxPackaging%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Cache%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4FirewallDiagnostics.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\OAlerts.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Internet Explorer.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4ActionCenter.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Diagnostic.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Audio%4Operational.evtx	PowerShell.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-Scheduled%4Operational.evtx	PowerShell.exe

Indirect Command Execution 1 TTPs 1 IoCs

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

defense_evasion

Indirect Command Execution

T1202

pid	Process
2372	Process not Found

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5896	Process not Found
1108	Process not Found
3528	Process not Found
1472	icacls.exe
4828	Process not Found
5760	Process not Found
4548	Process not Found
1092	Process not Found
5152	Process not Found
540	Process not Found
6072	Process not Found
3024	Process not Found
3700	Process not Found
4232	Process not Found
2684	Process not Found
5300	Process not Found
4916	Process not Found
4060	Process not Found
3676	Process not Found
1048	Process not Found
1788	Process not Found
2824	Process not Found
1920	Process not Found
2696	Process not Found
1320	Process not Found
4164	Process not Found
1524	Process not Found
4888	Process not Found
3016	Process not Found
4860	Process not Found
3716	Process not Found
2676	Process not Found
6124	Process not Found
5440	Process not Found
5436	icacls.exe
3564	Process not Found
3444	Process not Found
3564	Process not Found
3444	Process not Found
2936	Process not Found
2064	Process not Found
1660	Process not Found
4812	Process not Found
2760	Process not Found
5796	Process not Found
5880	icacls.exe
6052	Process not Found
1104	Process not Found
800	icacls.exe
5244	Process not Found
2992	Process not Found
1044	Process not Found
2068	takeown.exe
3244	Process not Found
4120	Process not Found
5068	Process not Found
2564	Process not Found
3800	Process not Found
3856	Process not Found
5872	Process not Found
2404	Process not Found
3064	Process not Found
4476	Process not Found
5272	Process not Found

Power Settings 1 TTPs 4 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1048	Process not Found
1000	Process not Found
2728	Process not Found
1260	Process not Found

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-Package~31bf3856ad364e35~amd64~uk-UA~10.0.22000.1.cat	PowerShell.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppServerClient-OptGroup-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat	PowerShell.exe
File opened for modification	C:\Windows\System32\de-DE\netprofmsvc.dll.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\de-DE\systeminfo.exe.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms002.inf_amd64_ea045b1d07719f70\Amd64	PowerShell.exe
File opened for modification	C:\Windows\System32\ja-jp\wshelper.dll.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\spp\tokens\skus\Education\Education-OEM-DM-1-pl-rtm.xrm-ms	PowerShell.exe
File opened for modification	C:\Windows\System32\uk-UA\usbui.dll.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Guest-Storage-Filter-merged-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat	PowerShell.exe
File opened for modification	C:\Windows\System32\de-DE\QuietHours.dll.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\bthmtpenum.inf_loc	PowerShell.exe
File opened for modification	C:\Windows\System32\userenv.dll	PowerShell.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-Server-SDN-Package~31bf3856ad364e35~amd64~it-IT~10.0.22000.1.cat	PowerShell.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-UtilityVM-Containers-Setup-Shared-Package~31bf3856ad364e35~amd64~it-IT~10.0.22000.1.cat	PowerShell.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\iagpio.inf_amd64_07b64df61e783bfe\iagpio.sys	PowerShell.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\monitor.inf_amd64_5653ba7de4b18c6f	PowerShell.exe
File opened for modification	C:\Windows\System32\ja-jp\PimIndexMaintenance.dll.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\d3d10_1core.dll	PowerShell.exe
File opened for modification	C:\Windows\System32\appraiser\appraiser.sdb	PowerShell.exe
File opened for modification	C:\Windows\System32\ja-jp\fltMC.exe.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\wbem\lltdsvc.mof	PowerShell.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}	PowerShell.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User	PowerShell.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Networking-Containers-Package~31bf3856ad364e35~amd64~it-IT~10.0.22000.1.cat	PowerShell.exe
File opened for modification	C:\Windows\System32\en-US\crypt32.dll.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\ja-jp\rshx32.dll.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\wbem\it-IT\RacWmiProv.mfl	PowerShell.exe
File opened for modification	C:\Windows\System32\aadcloudap.dll	PowerShell.exe
File opened for modification	C:\Windows\System32\lltdapi.dll	PowerShell.exe
File opened for modification	C:\Windows\System32\wdmaud.drv	PowerShell.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-Storage-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.1.cat	PowerShell.exe
File opened for modification	C:\Windows\System32\fr-FR\chgusr.exe.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\fr-FR\srcore.dll.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\migwiz\replacementmanifests\IdentityServer-Migration-Replacement.man	PowerShell.exe
File opened for modification	C:\Windows\System32\AudioHandlers.dll	PowerShell.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Networking-MPSSVC-Rules-EnterpriseEdition-Package~31bf3856ad364e35~amd64~es-ES~10.0.22000.1.cat	PowerShell.exe
File opened for modification	C:\Windows\System32\it-IT\mstsc.exe.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\KBDLAO.DLL	PowerShell.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-IsolatedVm-Package~31bf3856ad364e35~amd64~fr-FR~10.0.22000.1.cat	PowerShell.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\rtux64w10.inf_loc	PowerShell.exe
File opened for modification	C:\Windows\System32\en-US\SCardSvr.dll.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\ja-jp\msdt.exe.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-CoreSystem-DebugTransports-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat	PowerShell.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\sdbus.inf_amd64_da23a49bbcab6181\sdbus.inf	PowerShell.exe
File opened for modification	C:\Windows\System32\wbem\de-DE\mofd.dll.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml	PowerShell.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_computeaccelerator.inf_amd64_f025e6ed5ac098fd\c_computeaccelerator.inf	PowerShell.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms006.inf_amd64_c3bdcb6fc975b614\SendToOneNoteNames.gpd	PowerShell.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\EhStorTcgDrv.inf_loc	PowerShell.exe
File opened for modification	C:\Windows\System32\ja-jp\msxml6r.dll.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\ja-jp\rasmm.dll.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AssignedAccess\it-IT\AssignedAccessMsg.psd1	PowerShell.exe
File opened for modification	C:\Windows\System32\AuthHost.exe	PowerShell.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-DataCenterBridging-Opt-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.1.cat	PowerShell.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MediaPlayback-OC-Package~31bf3856ad364e35~amd64~ja-JP~10.0.22000.1.cat	PowerShell.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\ufxsynopsys.inf_loc	PowerShell.exe
File opened for modification	C:\Windows\System32\es-ES\forfiles.exe.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\es-ES\Windows.Graphics.Printing.dll.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\ja-jp\autotimesvc.dll.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-DataCenterBridging-WOW64-Package~31bf3856ad364e35~amd64~it-IT~10.0.22000.1.cat	PowerShell.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-ICS-Package~31bf3856ad364e35~amd64~~10.0.22000.41.cat	PowerShell.exe
File opened for modification	C:\Windows\System32\en-US\provdiagnostics.dll.mui	PowerShell.exe
File opened for modification	C:\Windows\System32\AppVIntegration.dll	PowerShell.exe
File opened for modification	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NetFx3-OC-Package~31bf3856ad364e35~amd64~ja-JP~10.0.22000.1.cat	PowerShell.exe

Modifies termsrv.dll 1 TTPs 1 IoCs

Commonly used to allow simultaneous RDP sessions.

Remote Desktop Protocol

T1021.001

description	ioc	Process
File opened for modification	C:\Windows\System32\termsrv.dll	PowerShell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4080	PowerShell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4080	PowerShell.exe
4080	PowerShell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4080	PowerShell.exe
Token: SeTakeOwnershipPrivilege	5820	takeown.exe
Token: SeTakeOwnershipPrivilege	5104	takeown.exe
Token: SeTakeOwnershipPrivilege	3960	takeown.exe
Token: SeTakeOwnershipPrivilege	3424	takeown.exe
Token: SeTakeOwnershipPrivilege	2808	takeown.exe
Token: SeTakeOwnershipPrivilege	5264	takeown.exe
Token: SeTakeOwnershipPrivilege	3288	takeown.exe
Token: SeTakeOwnershipPrivilege	5084	takeown.exe
Token: SeTakeOwnershipPrivilege	2384	takeown.exe
Token: SeTakeOwnershipPrivilege	684	takeown.exe
Token: SeTakeOwnershipPrivilege	2580	takeown.exe
Token: SeTakeOwnershipPrivilege	5604	takeown.exe
Token: SeTakeOwnershipPrivilege	5368	takeown.exe
Token: SeTakeOwnershipPrivilege	5088	takeown.exe
Token: SeTakeOwnershipPrivilege	4500	takeown.exe
Token: SeTakeOwnershipPrivilege	2296	takeown.exe
Token: SeTakeOwnershipPrivilege	2180	takeown.exe
Token: SeTakeOwnershipPrivilege	3860	takeown.exe
Token: SeTakeOwnershipPrivilege	5288	takeown.exe
Token: SeTakeOwnershipPrivilege	2460	takeown.exe
Token: SeTakeOwnershipPrivilege	2556	takeown.exe
Token: SeTakeOwnershipPrivilege	5640	takeown.exe
Token: SeTakeOwnershipPrivilege	4960	takeown.exe
Token: SeTakeOwnershipPrivilege	1960	takeown.exe
Token: SeTakeOwnershipPrivilege	3880	takeown.exe
Token: SeTakeOwnershipPrivilege	5524	takeown.exe
Token: SeTakeOwnershipPrivilege	4040	takeown.exe
Token: SeTakeOwnershipPrivilege	5348	takeown.exe
Token: SeTakeOwnershipPrivilege	5044	takeown.exe
Token: SeTakeOwnershipPrivilege	1532	takeown.exe
Token: SeTakeOwnershipPrivilege	5100	takeown.exe
Token: SeTakeOwnershipPrivilege	3640	takeown.exe
Token: SeTakeOwnershipPrivilege	2932	takeown.exe
Token: SeTakeOwnershipPrivilege	6024	takeown.exe
Token: SeTakeOwnershipPrivilege	3716	takeown.exe
Token: SeTakeOwnershipPrivilege	1456	takeown.exe
Token: SeTakeOwnershipPrivilege	2060	takeown.exe
Token: SeTakeOwnershipPrivilege	3272	takeown.exe
Token: SeTakeOwnershipPrivilege	3240	takeown.exe
Token: SeTakeOwnershipPrivilege	5908	takeown.exe
Token: SeTakeOwnershipPrivilege	3920	takeown.exe
Token: SeTakeOwnershipPrivilege	5624	takeown.exe
Token: SeTakeOwnershipPrivilege	3980	takeown.exe
Token: SeTakeOwnershipPrivilege	2980	takeown.exe
Token: SeTakeOwnershipPrivilege	5936	takeown.exe
Token: SeTakeOwnershipPrivilege	5532	takeown.exe
Token: SeTakeOwnershipPrivilege	1352	takeown.exe
Token: SeTakeOwnershipPrivilege	1584	takeown.exe
Token: SeTakeOwnershipPrivilege	6096	takeown.exe
Token: SeTakeOwnershipPrivilege	5160	takeown.exe
Token: SeTakeOwnershipPrivilege	6136	takeown.exe
Token: SeTakeOwnershipPrivilege	792	takeown.exe
Token: SeTakeOwnershipPrivilege	5452	takeown.exe
Token: SeTakeOwnershipPrivilege	4536	takeown.exe
Token: SeTakeOwnershipPrivilege	4512	takeown.exe
Token: SeTakeOwnershipPrivilege	4640	takeown.exe
Token: SeTakeOwnershipPrivilege	2176	takeown.exe
Token: SeTakeOwnershipPrivilege	648	takeown.exe
Token: SeTakeOwnershipPrivilege	5820	takeown.exe
Token: SeTakeOwnershipPrivilege	5104	takeown.exe
Token: SeTakeOwnershipPrivilege	5016	takeown.exe
Token: SeTakeOwnershipPrivilege	4732	takeown.exe
Token: SeTakeOwnershipPrivilege	4428	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 5820	4080	PowerShell.exe	80
PID 4080 wrote to memory of 5820	4080	PowerShell.exe	80
PID 4080 wrote to memory of 5220	4080	PowerShell.exe	81
PID 4080 wrote to memory of 5220	4080	PowerShell.exe	81
PID 4080 wrote to memory of 5104	4080	PowerShell.exe	82
PID 4080 wrote to memory of 5104	4080	PowerShell.exe	82
PID 4080 wrote to memory of 820	4080	PowerShell.exe	83
PID 4080 wrote to memory of 820	4080	PowerShell.exe	83
PID 4080 wrote to memory of 2424	4080	PowerShell.exe	84
PID 4080 wrote to memory of 2424	4080	PowerShell.exe	84
PID 4080 wrote to memory of 4732	4080	PowerShell.exe	85
PID 4080 wrote to memory of 4732	4080	PowerShell.exe	85
PID 4080 wrote to memory of 3960	4080	PowerShell.exe	86
PID 4080 wrote to memory of 3960	4080	PowerShell.exe	86
PID 4080 wrote to memory of 4428	4080	PowerShell.exe	87
PID 4080 wrote to memory of 4428	4080	PowerShell.exe	87
PID 4080 wrote to memory of 3424	4080	PowerShell.exe	88
PID 4080 wrote to memory of 3424	4080	PowerShell.exe	88
PID 4080 wrote to memory of 3360	4080	PowerShell.exe	89
PID 4080 wrote to memory of 3360	4080	PowerShell.exe	89
PID 4080 wrote to memory of 2808	4080	PowerShell.exe	90
PID 4080 wrote to memory of 2808	4080	PowerShell.exe	90
PID 4080 wrote to memory of 1628	4080	PowerShell.exe	91
PID 4080 wrote to memory of 1628	4080	PowerShell.exe	91
PID 4080 wrote to memory of 5264	4080	PowerShell.exe	92
PID 4080 wrote to memory of 5264	4080	PowerShell.exe	92
PID 4080 wrote to memory of 5952	4080	PowerShell.exe	93
PID 4080 wrote to memory of 5952	4080	PowerShell.exe	93
PID 4080 wrote to memory of 3288	4080	PowerShell.exe	94
PID 4080 wrote to memory of 3288	4080	PowerShell.exe	94
PID 4080 wrote to memory of 5092	4080	PowerShell.exe	95
PID 4080 wrote to memory of 5092	4080	PowerShell.exe	95
PID 4080 wrote to memory of 5084	4080	PowerShell.exe	96
PID 4080 wrote to memory of 5084	4080	PowerShell.exe	96
PID 4080 wrote to memory of 2340	4080	PowerShell.exe	97
PID 4080 wrote to memory of 2340	4080	PowerShell.exe	97
PID 4080 wrote to memory of 2384	4080	PowerShell.exe	98
PID 4080 wrote to memory of 2384	4080	PowerShell.exe	98
PID 4080 wrote to memory of 2356	4080	PowerShell.exe	99
PID 4080 wrote to memory of 2356	4080	PowerShell.exe	99
PID 4080 wrote to memory of 684	4080	PowerShell.exe	100
PID 4080 wrote to memory of 684	4080	PowerShell.exe	100
PID 4080 wrote to memory of 4652	4080	PowerShell.exe	101
PID 4080 wrote to memory of 4652	4080	PowerShell.exe	101
PID 4080 wrote to memory of 3016	4080	PowerShell.exe	102
PID 4080 wrote to memory of 3016	4080	PowerShell.exe	102
PID 4080 wrote to memory of 5128	4080	PowerShell.exe	103
PID 4080 wrote to memory of 5128	4080	PowerShell.exe	103
PID 4080 wrote to memory of 2580	4080	PowerShell.exe	104
PID 4080 wrote to memory of 2580	4080	PowerShell.exe	104
PID 4080 wrote to memory of 5852	4080	PowerShell.exe	105
PID 4080 wrote to memory of 5852	4080	PowerShell.exe	105
PID 4080 wrote to memory of 5604	4080	PowerShell.exe	106
PID 4080 wrote to memory of 5604	4080	PowerShell.exe	106
PID 4080 wrote to memory of 2380	4080	PowerShell.exe	107
PID 4080 wrote to memory of 2380	4080	PowerShell.exe	107
PID 4080 wrote to memory of 2992	4080	PowerShell.exe	108
PID 4080 wrote to memory of 2992	4080	PowerShell.exe	108
PID 4080 wrote to memory of 5968	4080	PowerShell.exe	109
PID 4080 wrote to memory of 5968	4080	PowerShell.exe	109
PID 4080 wrote to memory of 5368	4080	PowerShell.exe	110
PID 4080 wrote to memory of 5368	4080	PowerShell.exe	110
PID 4080 wrote to memory of 3324	4080	PowerShell.exe	111
PID 4080 wrote to memory of 3324	4080	PowerShell.exe	111

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\philerbum.ps1
1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Boot or Logon Autostart Execution: Print Processors
- Indicator Removal: Clear Windows Event Logs
- Drops file in System32 directory
- Modifies termsrv.dll
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\0409 /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5820
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\0409 /grant /T /C
  2⤵
  PID:5220
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AdvancedInstallers /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5104
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AdvancedInstallers /grant /T /C
  2⤵
  PID:820
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppLocker /A /R /D Y
  2⤵
  PID:2424
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppLocker /grant /T /C
  2⤵
  PID:4732
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\appraiser /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3960
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\appraiser /grant /T /C
  2⤵
  PID:4428
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppV /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3424
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppV /grant /T /C
  2⤵
  PID:3360
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ar-SA /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2808
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ar-SA /grant /T /C
  2⤵
  PID:1628
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bg-BG /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5264
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bg-BG /grant /T /C
  2⤵
  PID:5952
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Boot /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3288
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Boot /grant /T /C
  2⤵
  PID:5092
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Bthprops /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5084
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Bthprops /grant /T /C
  2⤵
  PID:2340
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ca-ES /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2384
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ca-ES /grant /T /C
  2⤵
  PID:2356
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\CatRoot /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:684
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\CatRoot /grant /T /C
  2⤵
  PID:4652
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\catroot2 /A /R /D Y
  2⤵
  PID:3016
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\catroot2 /grant /T /C
  2⤵
  PID:5128
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\CodeIntegrity /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\CodeIntegrity /grant /T /C
  2⤵
  PID:5852
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Com /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5604
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Com /grant /T /C
  2⤵
  PID:2380
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\config /A /R /D Y
  2⤵
  PID:2992
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\config /grant /T /C
  2⤵
  PID:5968
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Configuration /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5368
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Configuration /grant /T /C
  2⤵
  PID:3324
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\cs-CZ /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5088
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\cs-CZ /grant /T /C
  2⤵
  PID:2476
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\da-DK /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4500
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\da-DK /grant /T /C
  2⤵
  PID:2936
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\DDFs /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2296
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\DDFs /grant /T /C
  2⤵
  PID:2148
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\de /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2180
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\de /grant /T /C
  2⤵
  PID:4140
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\de-DE /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3860
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\de-DE /grant /T /C
  2⤵
  PID:5324
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\DiagSvcs /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5288
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\DiagSvcs /grant /T /C
  2⤵
  - Modifies file permissions
  PID:800
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Dism /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Dism /grant /T /C
  2⤵
  PID:4116
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\downlevel /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\downlevel /grant /T /C
  2⤵
  PID:2796
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\drivers /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5640
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\drivers /grant /T /C
  2⤵
  PID:6020
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\DriverState /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4960
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\DriverState /grant /T /C
  2⤵
  PID:3600
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\DriverStore /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1960
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\DriverStore /grant /T /C
  2⤵
  PID:2816
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\dsc /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3880
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\dsc /grant /T /C
  2⤵
  PID:1648
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\el-GR /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5524
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\el-GR /grant /T /C
  2⤵
  PID:3740
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\en /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4040
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\en /grant /T /C
  2⤵
  PID:4992
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\en-GB /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5348
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\en-GB /grant /T /C
  2⤵
  PID:3444
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\en-US /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5044
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\en-US /grant /T /C
  2⤵
  PID:1508
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\es /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1532
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\es /grant /T /C
  2⤵
  PID:472
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\es-ES /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5100
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\es-ES /grant /T /C
  2⤵
  PID:980
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\es-MX /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3640
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\es-MX /grant /T /C
  2⤵
  PID:4048
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\et-EE /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\et-EE /grant /T /C
  2⤵
  PID:1540
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\eu-ES /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6024
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\eu-ES /grant /T /C
  2⤵
  PID:5328
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\F12 /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3716
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\F12 /grant /T /C
  2⤵
  PID:1320
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\fi-FI /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1456
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\fi-FI /grant /T /C
  2⤵
  PID:3412
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\fr /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\fr /grant /T /C
  2⤵
  PID:1092
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\fr-CA /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3272
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\fr-CA /grant /T /C
  2⤵
  PID:5788
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\fr-FR /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3240
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\fr-FR /grant /T /C
  2⤵
  PID:2772
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\FxsTmp /A /R /D Y
  2⤵
  PID:2696
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\FxsTmp /grant /T /C
  2⤵
  PID:468
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\gl-ES /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5908
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\gl-ES /grant /T /C
  2⤵
  PID:5752
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\GroupPolicy /A /R /D Y
  2⤵
  PID:2572
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\GroupPolicy /grant /T /C
  2⤵
  PID:4468
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\GroupPolicyUsers /A /R /D Y
  2⤵
  PID:5004
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\GroupPolicyUsers /grant /T /C
  2⤵
  PID:3828
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\he-IL /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3920
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\he-IL /grant /T /C
  2⤵
  PID:696
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\HealthAttestationClient /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5624
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\HealthAttestationClient /grant /T /C
  2⤵
  PID:5464
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\hr-HR /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3980
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\hr-HR /grant /T /C
  2⤵
  PID:1560
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\hu-HU /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2980
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\hu-HU /grant /T /C
  2⤵
  PID:1688
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Hydrogen /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5936
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Hydrogen /grant /T /C
  2⤵
  PID:1368
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ias /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5532
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ias /grant /T /C
  2⤵
  PID:1920
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\icsxml /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1352
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\icsxml /grant /T /C
  2⤵
  PID:1184
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\id-ID /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\id-ID /grant /T /C
  2⤵
  PID:3644
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\IME /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6096
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\IME /grant /T /C
  2⤵
  PID:1736
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\inetsrv /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5160
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\inetsrv /grant /T /C
  2⤵
  PID:6116
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\InputMethod /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6136
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\InputMethod /grant /T /C
  2⤵
  PID:3032
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Ipmi /A /R /D Y
  2⤵
  PID:1388
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Ipmi /grant /T /C
  2⤵
  PID:1916
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\it /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:792
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\it /grant /T /C
  2⤵
  PID:908
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\it-IT /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5452
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\it-IT /grant /T /C
  2⤵
  PID:1728
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ja /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4536
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ja /grant /T /C
  2⤵
  PID:5192
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ja-jp /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4512
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ja-jp /grant /T /C
  2⤵
  PID:2452
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Keywords /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4640
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Keywords /grant /T /C
  2⤵
  PID:2456
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ko-KR /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ko-KR /grant /T /C
  2⤵
  PID:1564
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Licenses /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:648
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Licenses /grant /T /C
  2⤵
  PID:3440
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\LogFiles /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5820
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\LogFiles /grant /T /C
  2⤵
  PID:5220
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\lt-LT /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5104
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\lt-LT /grant /T /C
  2⤵
  PID:820
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\lv-LV /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5016
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\lv-LV /grant /T /C
  2⤵
  PID:4456
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\lxss /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4732
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\lxss /grant /T /C
  2⤵
  PID:3480
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\MailContactsCalendarSync /A /R /D Y
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4428
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\MailContactsCalendarSync /grant /T /C
  2⤵
  PID:4144
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Microsoft /A /R /D Y
  2⤵
  PID:3360
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Microsoft /grant /T /C
  2⤵
  PID:2400
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\migration /A /R /D Y
  2⤵
  PID:1628
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\migration /grant /T /C
  2⤵
  PID:3432
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\migwiz /A /R /D Y
  2⤵
  PID:5952
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\migwiz /grant /T /C
  2⤵
  PID:3904
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\MSDRM /A /R /D Y
  2⤵
  PID:4356
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\MSDRM /grant /T /C
  2⤵
  PID:5028
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\MsDtc /A /R /D Y
  2⤵
  PID:2260
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\MsDtc /grant /T /C
  2⤵
  PID:2352
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\MUI /A /R /D Y
  2⤵
  PID:1880
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\MUI /grant /T /C
  2⤵
  PID:1936
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\nb-NO /A /R /D Y
  2⤵
  PID:4372
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\nb-NO /grant /T /C
  2⤵
  PID:4656
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\NDF /A /R /D Y
  2⤵
  PID:3220
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\NDF /grant /T /C
  2⤵
  PID:5708
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\networklist /A /R /D Y
  2⤵
  PID:1428
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\networklist /grant /T /C
  2⤵
  PID:1088
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\nl-NL /A /R /D Y
  2⤵
  PID:3468
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\nl-NL /grant /T /C
  2⤵
  PID:3764
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Nui /A /R /D Y
  2⤵
  PID:1048
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Nui /grant /T /C
  2⤵
  PID:5364
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\oobe /A /R /D Y
  2⤵
  PID:1020
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\oobe /grant /T /C
  2⤵
  PID:1776
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\OpenSSH /A /R /D Y
  2⤵
  PID:2756
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\OpenSSH /grant /T /C
  2⤵
  PID:5692
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Pbr /A /R /D Y
  2⤵
  PID:3052
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Pbr /grant /T /C
  2⤵
  PID:4804
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\PerceptionSimulation /A /R /D Y
  2⤵
  PID:5048
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\PerceptionSimulation /grant /T /C
  2⤵
  PID:4564
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\pl-PL /A /R /D Y
  2⤵
  PID:1884
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\pl-PL /grant /T /C
  2⤵
  PID:4780
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\PointOfService /A /R /D Y
  2⤵
  PID:2896
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\PointOfService /grant /T /C
  2⤵
  PID:4808
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Printing_Admin_Scripts /A /R /D Y
  2⤵
  PID:3292
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Printing_Admin_Scripts /grant /T /C
  2⤵
  PID:1544
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ProximityToast /A /R /D Y
  2⤵
  PID:4844
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ProximityToast /grant /T /C
  2⤵
  PID:3656
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\pt-BR /A /R /D Y
  2⤵
  PID:72
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\pt-BR /grant /T /C
  2⤵
  PID:3508
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\pt-PT /A /R /D Y
  2⤵
  PID:2224
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\pt-PT /grant /T /C
  2⤵
  PID:1188
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ras /A /R /D Y
  2⤵
  PID:2160
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ras /grant /T /C
  2⤵
  PID:692
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\RasToast /A /R /D Y
  2⤵
  PID:5572
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\RasToast /grant /T /C
  2⤵
  PID:5148
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Recovery /A /R /D Y
  2⤵
  PID:3676
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Recovery /grant /T /C
  2⤵
  PID:2884
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\restore /A /R /D Y
  2⤵
  PID:5188
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\restore /grant /T /C
  2⤵
  PID:4748
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ro-RO /A /R /D Y
  2⤵
  PID:1488
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ro-RO /grant /T /C
  2⤵
  PID:808
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ru-RU /A /R /D Y
  2⤵
  PID:6068
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ru-RU /grant /T /C
  2⤵
  PID:4524
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\SecureBootUpdates /A /R /D Y
  2⤵
  PID:3064
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\SecureBootUpdates /grant /T /C
  2⤵
  PID:3564
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\setup /A /R /D Y
  2⤵
  PID:1128
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\setup /grant /T /C
  2⤵
  PID:4704
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Sgrm /A /R /D Y
  2⤵
  PID:2368
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Sgrm /grant /T /C
  2⤵
  PID:5204
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ShellExperiences /A /R /D Y
  2⤵
  PID:4500
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ShellExperiences /grant /T /C
  2⤵
  PID:2936
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\sk-SK /A /R /D Y
  2⤵
  PID:2296
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\sk-SK /grant /T /C
  2⤵
  PID:2148
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\sl-SI /A /R /D Y
  2⤵
  PID:2180
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\sl-SI /grant /T /C
  2⤵
  PID:4140
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\SleepStudy /A /R /D Y
  2⤵
  PID:3860
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\SleepStudy /grant /T /C
  2⤵
  PID:5324
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\slmgr /A /R /D Y
  2⤵
  PID:3228
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\slmgr /grant /T /C
  2⤵
  PID:1992
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\SMI /A /R /D Y
  2⤵
  PID:3524
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\SMI /grant /T /C
  2⤵
  PID:804
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Speech /A /R /D Y
  2⤵
  PID:800
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Speech /grant /T /C
  2⤵
  PID:5736
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Speech_OneCore /A /R /D Y
  2⤵
  PID:4116
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Speech_OneCore /grant /T /C
  2⤵
  PID:3000
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\spool /A /R /D Y
  2⤵
  PID:2796
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\spool /grant /T /C
  2⤵
  PID:5548
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\spp /A /R /D Y
  2⤵
  PID:5836
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\spp /grant /T /C
  2⤵
  PID:5036
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\sppui /A /R /D Y
  2⤵
  PID:1668
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\sppui /grant /T /C
  2⤵
  PID:916
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\sr-Latn-RS /A /R /D Y
  2⤵
  PID:2944
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\sr-Latn-RS /grant /T /C
  2⤵
  PID:1080
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\sru /A /R /D Y
  2⤵
  PID:2872
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\sru /grant /T /C
  2⤵
  PID:2304
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\sv-SE /A /R /D Y
  2⤵
  PID:1960
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\sv-SE /grant /T /C
  2⤵
  PID:444
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Sysprep /A /R /D Y
  2⤵
  PID:112
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Sysprep /grant /T /C
  2⤵
  PID:1648
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\SystemResetPlatform /A /R /D Y
  2⤵
  PID:4244
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\SystemResetPlatform /grant /T /C
  2⤵
  PID:5524
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Tasks /A /R /D Y
  2⤵
  PID:3132
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Tasks /grant /T /C
  2⤵
  PID:4040
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\th-TH /A /R /D Y
  2⤵
  PID:1684
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\th-TH /grant /T /C
  2⤵
  PID:5348
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\tr-TR /A /R /D Y
  2⤵
  PID:5020
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\tr-TR /grant /T /C
  2⤵
  PID:3056
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\uk /A /R /D Y
  2⤵
  PID:4724
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\uk /grant /T /C
  2⤵
  PID:2088
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\uk-UA /A /R /D Y
  2⤵
  PID:4920
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\uk-UA /grant /T /C
  2⤵
  PID:5596
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\UNP /A /R /D Y
  2⤵
  PID:4120
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\UNP /grant /T /C
  2⤵
  PID:1112
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\vi-VN /A /R /D Y
  2⤵
  PID:6080
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\vi-VN /grant /T /C
  2⤵
  PID:5832
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\wbem /A /R /D Y
  2⤵
  PID:1660
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\wbem /grant /T /C
  2⤵
  PID:4008
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\WCN /A /R /D Y
  2⤵
  PID:5700
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\WCN /grant /T /C
  2⤵
  PID:4416
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\WDI /A /R /D Y
  2⤵
  PID:4908
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\WDI /grant /T /C
  2⤵
  PID:1972
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\WinBioDatabase /A /R /D Y
  2⤵
  PID:5776
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\WinBioDatabase /grant /T /C
  2⤵
  PID:5336
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\WinBioPlugIns /A /R /D Y
  2⤵
  PID:1644
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\WinBioPlugIns /grant /T /C
  2⤵
  PID:5096
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\WindowsPowerShell /A /R /D Y
  2⤵
  PID:1400
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\WindowsPowerShell /grant /T /C
  2⤵
  PID:5588
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\winevt /A /R /D Y
  2⤵
  PID:5276
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\winevt /grant /T /C
  2⤵
  PID:2660
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\WinMetadata /A /R /D Y
  2⤵
  PID:3008
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\WinMetadata /grant /T /C
  2⤵
  PID:3652
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\winrm /A /R /D Y
  2⤵
  PID:2824
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\winrm /grant /T /C
  2⤵
  PID:6000
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\zh-CN /A /R /D Y
  2⤵
  PID:3248
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\zh-CN /grant /T /C
  2⤵
  PID:1900
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\zh-TW /A /R /D Y
  2⤵
  PID:492
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\zh-TW /grant /T /C
  2⤵
  PID:3528
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\0ae3b998-9a38-4b72-a4c4-06849441518d_Servicing-Stack.dll /A /R /D Y
  2⤵
  PID:4624
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\0ae3b998-9a38-4b72-a4c4-06849441518d_Servicing-Stack.dll /grant /T /C
  2⤵
  PID:616
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\69fe178f-26e7-43a9-aa7d-2b616b672dde_eventlogservice.dll /A /R /D Y
  2⤵
  PID:3884
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\69fe178f-26e7-43a9-aa7d-2b616b672dde_eventlogservice.dll /grant /T /C
  2⤵
  PID:1204
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\6bea57fb-8dfb-4177-9ae8-42e8b3529933_RuntimeDeviceInstall.dll /A /R /D Y
  2⤵
  PID:1524
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\6bea57fb-8dfb-4177-9ae8-42e8b3529933_RuntimeDeviceInstall.dll /grant /T /C
  2⤵
  PID:880
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\@AdvancedKeySettingsNotification.png /A /R /D Y
  2⤵
  PID:3952
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\@AdvancedKeySettingsNotification.png /grant /T /C
  2⤵
  PID:1552
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\@AppHelpToast.png /A /R /D Y
  2⤵
  PID:1172
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\@AppHelpToast.png /grant /T /C
  2⤵
  PID:1848
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\@AudioToastIcon.png /A /R /D Y
  2⤵
  PID:1852
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\@AudioToastIcon.png /grant /T /C
  2⤵
  PID:956
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\@BackgroundAccessToastIcon.png /A /R /D Y
  2⤵
  PID:3792
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\@BackgroundAccessToastIcon.png /grant /T /C
  2⤵
  PID:4996
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\@bitlockertoastimage.png /A /R /D Y
  2⤵
  PID:4928
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\@bitlockertoastimage.png /grant /T /C
  2⤵
  PID:4532
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\@edptoastimage.png /A /R /D Y
  2⤵
  PID:5176
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\@edptoastimage.png /grant /T /C
  2⤵
  PID:2584
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\@EnrollmentToastIcon.png /A /R /D Y
  2⤵
  PID:6016
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\@EnrollmentToastIcon.png /grant /T /C
  2⤵
  PID:4216
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\@language_notification_icon.png /A /R /D Y
  2⤵
  PID:5108
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\@language_notification_icon.png /grant /T /C
  2⤵
  PID:3300
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\@optionalfeatures.png /A /R /D Y
  2⤵
  PID:2464
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\@optionalfeatures.png /grant /T /C
  2⤵
  PID:5932
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\@StorageSenseToastIcon.png /A /R /D Y
  2⤵
  PID:1672
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\@StorageSenseToastIcon.png /grant /T /C
  2⤵
  PID:5800
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\@VpnToastIcon.png /A /R /D Y
  2⤵
  PID:5468
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\@VpnToastIcon.png /grant /T /C
  2⤵
  PID:4536
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\@windows-hello-V4.1.gif /A /R /D Y
  2⤵
  PID:1984
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\@windows-hello-V4.1.gif /grant /T /C
  2⤵
  PID:5384
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\@WindowsHelloFaceToastIcon.png /A /R /D Y
  2⤵
  PID:4692
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\@WindowsHelloFaceToastIcon.png /grant /T /C
  2⤵
  PID:4612
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\@WindowsUpdateToastIcon.contrast-black.png /A /R /D Y
  2⤵
  PID:2456
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\@WindowsUpdateToastIcon.contrast-black.png /grant /T /C
  2⤵
  PID:2156
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\@WindowsUpdateToastIcon.contrast-white.png /A /R /D Y
  2⤵
  PID:2176
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\@WindowsUpdateToastIcon.contrast-white.png /grant /T /C
  2⤵
  PID:4488
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\@WindowsUpdateToastIcon.png /A /R /D Y
  2⤵
  PID:648
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\@WindowsUpdateToastIcon.png /grant /T /C
  2⤵
  PID:664
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\@WirelessDisplayToast.png /A /R /D Y
  2⤵
  PID:5820
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\@WirelessDisplayToast.png /grant /T /C
  2⤵
  PID:5296
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\@WLOGO_48x48.png /A /R /D Y
  2⤵
  PID:5104
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\@WLOGO_48x48.png /grant /T /C
  2⤵
  PID:4556
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\aadauthhelper.dll /A /R /D Y
  2⤵
  PID:5016
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\aadauthhelper.dll /grant /T /C
  2⤵
  PID:4528
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\aadcloudap.dll /A /R /D Y
  2⤵
  PID:4732
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\aadcloudap.dll /grant /T /C
  2⤵
  PID:5256
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\aadjcsp.dll /A /R /D Y
  2⤵
  PID:4428
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\aadjcsp.dll /grant /T /C
  2⤵
  PID:3360
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\aadtb.dll /A /R /D Y
  2⤵
  PID:2400
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\aadtb.dll /grant /T /C
  2⤵
  PID:3504
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\aadWamExtension.dll /A /R /D Y
  2⤵
  PID:2752
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\aadWamExtension.dll /grant /T /C
  2⤵
  PID:1628
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AarSvc.dll /A /R /D Y
  2⤵
  PID:3928
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AarSvc.dll /grant /T /C
  2⤵
  PID:4036
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AboutSettingsHandlers.dll /A /R /D Y
  2⤵
  PID:4540
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AboutSettingsHandlers.dll /grant /T /C
  2⤵
  PID:3388
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AboveLockAppHost.dll /A /R /D Y
  2⤵
  PID:5264
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AboveLockAppHost.dll /grant /T /C
  2⤵
  PID:5068
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\accessibilitycpl.dll /A /R /D Y
  2⤵
  PID:1680
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\accessibilitycpl.dll /grant /T /C
  2⤵
  PID:5628
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\accountaccessor.dll /A /R /D Y
  2⤵
  PID:4520
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\accountaccessor.dll /grant /T /C
  2⤵
  PID:2216
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AccountsRt.dll /A /R /D Y
  2⤵
  PID:5084
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AccountsRt.dll /grant /T /C
  2⤵
  PID:4368
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AcGenral.dll /A /R /D Y
  2⤵
  PID:2384
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AcGenral.dll /grant /T /C
  2⤵
  PID:2376
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AcLayers.dll /A /R /D Y
  2⤵
  PID:540
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AcLayers.dll /grant /T /C
  2⤵
  PID:4708
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\acledit.dll /A /R /D Y
  2⤵
  PID:2760
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\acledit.dll /grant /T /C
  2⤵
  PID:4936
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\aclui.dll /A /R /D Y
  2⤵
  PID:1420
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\aclui.dll /grant /T /C
  2⤵
  PID:244
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\acmigration.dll /A /R /D Y
  2⤵
  PID:1084
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\acmigration.dll /grant /T /C
  2⤵
  PID:1428
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ACPBackgroundManagerPolicy.dll /A /R /D Y
  2⤵
  PID:5272
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ACPBackgroundManagerPolicy.dll /grant /T /C
  2⤵
  PID:3264
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\acppage.dll /A /R /D Y
  2⤵
  PID:5916
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\acppage.dll /grant /T /C
  2⤵
  PID:3468
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\acproxy.dll /A /R /D Y
  2⤵
  PID:1832
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\acproxy.dll /grant /T /C
  2⤵
  PID:4496
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AcSpecfc.dll /A /R /D Y
  2⤵
  PID:1020
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AcSpecfc.dll /grant /T /C
  2⤵
  PID:5040
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ActionCenter.dll_BUP /A /R /D Y
  2⤵
  PID:2756
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ActionCenter.dll_BUP /grant /T /C
  2⤵
  PID:856
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ActionCenterCPL.dll_BUP /A /R /D Y
  2⤵
  PID:3052
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ActionCenterCPL.dll_BUP /grant /T /C
  2⤵
  PID:5172
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ActionQueue.dll /A /R /D Y
  2⤵
  PID:2032
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ActionQueue.dll /grant /T /C
  2⤵
  PID:1824
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ActivationClient.dll /A /R /D Y
  2⤵
  PID:4780
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ActivationClient.dll /grant /T /C
  2⤵
  PID:5732
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ActivationManager.dll /A /R /D Y
  2⤵
  PID:1868
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ActivationManager.dll /grant /T /C
  2⤵
  PID:4032
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\activeds.dll /A /R /D Y
  2⤵
  PID:5424
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\activeds.dll /grant /T /C
  2⤵
  PID:4856
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\activeds.tlb /A /R /D Y
  2⤵
  PID:1496
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\activeds.tlb /grant /T /C
  2⤵
  PID:3308
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ActiveHours.png /A /R /D Y
  2⤵
  PID:2868
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ActiveHours.png /grant /T /C
  2⤵
  PID:2348
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ActiveSyncCsp.dll /A /R /D Y
  2⤵
  PID:5928
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ActiveSyncCsp.dll /grant /T /C
  2⤵
  PID:3260
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ActiveSyncProvider.dll /A /R /D Y
  2⤵
  PID:408
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ActiveSyncProvider.dll /grant /T /C
  2⤵
  PID:5992
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\actxprxy.dll /A /R /D Y
  2⤵
  PID:5144
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\actxprxy.dll /grant /T /C
  2⤵
  PID:5244
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AcWinRT.dll /A /R /D Y
  2⤵
  PID:5248
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AcWinRT.dll /grant /T /C
  2⤵
  PID:4740
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AcXtrnal.dll /A /R /D Y
  2⤵
  PID:2256
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AcXtrnal.dll /grant /T /C
  2⤵
  PID:3108
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AdaptiveCards.dll /A /R /D Y
  2⤵
  PID:3752
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AdaptiveCards.dll /grant /T /C
  2⤵
  PID:4304
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AddressParser.dll /A /R /D Y
  2⤵
  PID:2820
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AddressParser.dll /grant /T /C
  2⤵
  PID:2992
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\adhapi.dll /A /R /D Y
  2⤵
  PID:2676
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\adhapi.dll /grant /T /C
  2⤵
  PID:2680
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\adhsvc.dll /A /R /D Y
  2⤵
  PID:3588
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\adhsvc.dll /grant /T /C
  2⤵
  PID:5196
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AdmTmpl.dll /A /R /D Y
  2⤵
  PID:3296
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AdmTmpl.dll /grant /T /C
  2⤵
  PID:1128
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\adprovider.dll /A /R /D Y
  2⤵
  PID:3372
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\adprovider.dll /grant /T /C
  2⤵
  PID:2936
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\adrclient.dll /A /R /D Y
  2⤵
  PID:3520
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\adrclient.dll /grant /T /C
  2⤵
  PID:2148
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\adsldp.dll /A /R /D Y
  2⤵
  PID:3384
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\adsldp.dll /grant /T /C
  2⤵
  - Possible privilege escalation attempt
  PID:4140
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\adsldpc.dll /A /R /D Y
  2⤵
  PID:3120
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\adsldpc.dll /grant /T /C
  2⤵
  PID:5324
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\adsmsext.dll /A /R /D Y
  2⤵
  PID:4812
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\adsmsext.dll /grant /T /C
  2⤵
  PID:1992
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\adsnt.dll /A /R /D Y
  2⤵
  PID:2736
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\adsnt.dll /grant /T /C
  2⤵
  PID:804
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\adtschema.dll /A /R /D Y
  2⤵
  PID:4064
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\adtschema.dll /grant /T /C
  2⤵
  PID:5736
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AdvancedEmojiDS.dll /A /R /D Y
  2⤵
  PID:3060
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AdvancedEmojiDS.dll /grant /T /C
  2⤵
  PID:3000
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\advapi32.dll /A /R /D Y
  2⤵
  PID:200
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\advapi32.dll /grant /T /C
  2⤵
  PID:5548
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\advapi32res.dll /A /R /D Y
  2⤵
  PID:5216
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\advapi32res.dll /grant /T /C
  2⤵
  PID:5036
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\advpack.dll /A /R /D Y
  2⤵
  PID:344
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\advpack.dll /grant /T /C
  2⤵
  PID:916
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\aeevts.dll /A /R /D Y
  2⤵
  PID:1924
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\aeevts.dll /grant /T /C
  2⤵
  PID:1080
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\aeinv.dll /A /R /D Y
  2⤵
  PID:3020
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\aeinv.dll /grant /T /C
  2⤵
  PID:2304
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\aepic.dll /A /R /D Y
  2⤵
  PID:4072
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\aepic.dll /grant /T /C
  2⤵
  PID:444
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\agentactivationruntime.dll /A /R /D Y
  2⤵
  PID:5896
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\agentactivationruntime.dll /grant /T /C
  2⤵
  PID:1648
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\agentactivationruntimestarter.exe /A /R /D Y
  2⤵
  PID:3068
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\agentactivationruntimestarter.exe /grant /T /C
  2⤵
  PID:5524
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\agentactivationruntimewindows.dll /A /R /D Y
  2⤵
  PID:4992
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\agentactivationruntimewindows.dll /grant /T /C
  2⤵
  PID:3840
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AgentService.exe /A /R /D Y
  2⤵
  PID:3984
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AgentService.exe /grant /T /C
  2⤵
  PID:4360
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AggregatorHost.exe /A /R /D Y
  2⤵
  PID:464
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AggregatorHost.exe /grant /T /C
  2⤵
  PID:1508
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\aitstatic.exe /A /R /D Y
  2⤵
  PID:3084
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\aitstatic.exe /grant /T /C
  2⤵
  PID:472
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AJRouter.dll /A /R /D Y
  2⤵
  PID:4336
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AJRouter.dll /grant /T /C
  2⤵
  PID:980
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\alg.exe /A /R /D Y
  2⤵
  PID:3748
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\alg.exe /grant /T /C
  2⤵
  PID:1100
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\altspace.dll /A /R /D Y
  2⤵
  PID:4120
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\altspace.dll /grant /T /C
  2⤵
  PID:1308
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\amcompat.tlb /A /R /D Y
  2⤵
  PID:6080
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\amcompat.tlb /grant /T /C
  2⤵
  PID:5328
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\amsi.dll /A /R /D Y
  2⤵
  PID:1660
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\amsi.dll /grant /T /C
  2⤵
  PID:1384
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\amsiproxy.dll /A /R /D Y
  2⤵
  PID:5320
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\amsiproxy.dll /grant /T /C
  2⤵
  PID:1732
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\amstream.dll /A /R /D Y
  2⤵
  PID:3412
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\amstream.dll /grant /T /C
  2⤵
  PID:4924
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Analog.Shell.Broker.dll /A /R /D Y
  2⤵
  PID:1092
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Analog.Shell.Broker.dll /grant /T /C
  2⤵
  PID:1168
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AnalogCommonProxyStub.dll /A /R /D Y
  2⤵
  PID:2904
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AnalogCommonProxyStub.dll /grant /T /C
  2⤵
  - Modifies file permissions
  PID:5436
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\apds.dll /A /R /D Y
  2⤵
  PID:5780
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\apds.dll /grant /T /C
  2⤵
  PID:5280
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\APHostClient.dll /A /R /D Y
  2⤵
  PID:5824
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\APHostClient.dll /grant /T /C
  2⤵
  PID:4308
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\APHostRes.dll /A /R /D Y
  2⤵
  PID:3044
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\APHostRes.dll /grant /T /C
  2⤵
  PID:4976
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\APHostService.dll /A /R /D Y
  2⤵
  PID:776
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\APHostService.dll /grant /T /C
  2⤵
  PID:2076
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\apisampling.dll /A /R /D Y
  2⤵
  PID:3548
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\apisampling.dll /grant /T /C
  2⤵
  PID:3416
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ApiSetHost.AppExecutionAlias.dll /A /R /D Y
  2⤵
  PID:3100
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ApiSetHost.AppExecutionAlias.dll /grant /T /C
  2⤵
  PID:920
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\apisetschema.dll /A /R /D Y
  2⤵
  PID:2940
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\apisetschema.dll /grant /T /C
  2⤵
  PID:4948
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\APMon.dll /A /R /D Y
  2⤵
  PID:1364
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\APMon.dll /grant /T /C
  2⤵
  PID:1524
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\APMonUI.dll /A /R /D Y
  2⤵
  PID:3884
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\APMonUI.dll /grant /T /C
  2⤵
  PID:3780
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppContracts.dll /A /R /D Y
  2⤵
  PID:4932
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppContracts.dll /grant /T /C
  2⤵
  PID:1356
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppExtension.dll /A /R /D Y
  2⤵
  PID:3712
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppExtension.dll /grant /T /C
  2⤵
  PID:1556
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\apphelp.dll /A /R /D Y
  2⤵
  PID:5304
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\apphelp.dll /grant /T /C
  2⤵
  PID:6100
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Apphlpdm.dll /A /R /D Y
  2⤵
  PID:4772
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Apphlpdm.dll /grant /T /C
  2⤵
  PID:5160
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppHostRegistrationVerifier.exe /A /R /D Y
  2⤵
  PID:3952
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppHostRegistrationVerifier.exe /grant /T /C
  2⤵
  PID:3680
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\appidapi.dll /A /R /D Y
  2⤵
  PID:5176
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\appidapi.dll /grant /T /C
  2⤵
  PID:5760
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\appidcertstorecheck.exe /A /R /D Y
  2⤵
  PID:1388
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\appidcertstorecheck.exe /grant /T /C
  2⤵
  PID:1492
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\appidpolicyconverter.exe /A /R /D Y
  2⤵
  PID:5652
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\appidpolicyconverter.exe /grant /T /C
  2⤵
  PID:5816
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppIdPolicyEngineApi.dll /A /R /D Y
  2⤵
  PID:6016
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppIdPolicyEngineApi.dll /grant /T /C
  2⤵
  PID:5924
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\appidsvc.dll /A /R /D Y
  2⤵
  PID:1672
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\appidsvc.dll /grant /T /C
  2⤵
  PID:3664
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\appidtel.exe /A /R /D Y
  2⤵
  PID:5468
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\appidtel.exe /grant /T /C
  2⤵
  PID:5136
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\appinfo.dll /A /R /D Y
  2⤵
  PID:4640
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\appinfo.dll /grant /T /C
  2⤵
  PID:3604
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\appinfoext.dll /A /R /D Y
  2⤵
  PID:2136
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\appinfoext.dll /grant /T /C
  2⤵
  PID:580
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppInstallerPrompt.Desktop.dll /A /R /D Y
  2⤵
  PID:2012
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppInstallerPrompt.Desktop.dll /grant /T /C
  2⤵
  PID:3440
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ApplicationControlCSP.dll /A /R /D Y
  2⤵
  PID:5868
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ApplicationControlCSP.dll /grant /T /C
  2⤵
  PID:5220
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ApplicationFrame.dll /A /R /D Y
  2⤵
  PID:4476
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ApplicationFrame.dll /grant /T /C
  2⤵
  PID:820
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ApplicationFrameHost.exe /A /R /D Y
  2⤵
  PID:2668
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ApplicationFrameHost.exe /grant /T /C
  2⤵
  PID:4456
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppListBackupLauncher.dll /A /R /D Y
  2⤵
  PID:1044
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppListBackupLauncher.dll /grant /T /C
  2⤵
  PID:3480
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppLockerCSP.dll /A /R /D Y
  2⤵
  PID:4296
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppLockerCSP.dll /grant /T /C
  2⤵
  PID:4144
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ApplySettingsTemplateCatalog.exe /A /R /D Y
  2⤵
  PID:5876
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ApplySettingsTemplateCatalog.exe /grant /T /C
  2⤵
  PID:2692
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ApplyTrustOffline.exe /A /R /D Y
  2⤵
  PID:900
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ApplyTrustOffline.exe /grant /T /C
  2⤵
  PID:3432
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppManagementConfiguration.dll /A /R /D Y
  2⤵
  PID:5648
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppManagementConfiguration.dll /grant /T /C
  2⤵
  PID:4940
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\appmgmts.dll /A /R /D Y
  2⤵
  PID:3540
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\appmgmts.dll /grant /T /C
  2⤵
  PID:5448
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\appmgr.dll /A /R /D Y
  2⤵
  PID:3216
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\appmgr.dll /grant /T /C
  2⤵
  PID:3340
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppMon.dll /A /R /D Y
  2⤵
  PID:5072
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppMon.dll /grant /T /C
  2⤵
  PID:3968
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppointmentActivation.dll /A /R /D Y
  2⤵
  PID:4632
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppointmentActivation.dll /grant /T /C
  2⤵
  PID:5228
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppointmentApis.dll /A /R /D Y
  2⤵
  PID:5768
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppointmentApis.dll /grant /T /C
  2⤵
  PID:2240
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\appraiser.dll /A /R /D Y
  2⤵
  PID:2340
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\appraiser.dll /grant /T /C
  2⤵
  PID:2212
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppReadiness.dll /A /R /D Y
  2⤵
  PID:2260
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppReadiness.dll /grant /T /C
  2⤵
  PID:420
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\apprepapi.dll /A /R /D Y
  2⤵
  PID:4544
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\apprepapi.dll /grant /T /C
  2⤵
  PID:4648
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppResolver.dll /A /R /D Y
  2⤵
  PID:684
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppResolver.dll /grant /T /C
  2⤵
  PID:556
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ApproveChildRequest.exe /A /R /D Y
  2⤵
  PID:5708
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ApproveChildRequest.exe /grant /T /C
  2⤵
  PID:2372
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\appsruprov.dll /A /R /D Y
  2⤵
  PID:5864
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\appsruprov.dll /grant /T /C
  2⤵
  PID:724
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVCatalog.dll /A /R /D Y
  2⤵
  PID:4608
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVCatalog.dll /grant /T /C
  2⤵
  - Modifies file permissions
  PID:5880
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVClient.exe /A /R /D Y
  2⤵
  PID:4024
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVClient.exe /grant /T /C
  2⤵
  PID:2728
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppvClientEventLog.dll /A /R /D Y
  2⤵
  PID:2672
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppvClientEventLog.dll /grant /T /C
  2⤵
  PID:236
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVClientPS.dll /A /R /D Y
  2⤵
  PID:1432
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVClientPS.dll /grant /T /C
  2⤵
  PID:4696
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVDllSurrogate.exe /A /R /D Y
  2⤵
  PID:5008
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVDllSurrogate.exe /grant /T /C
  2⤵
  PID:3852
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVEntStreamingManager.dll /A /R /D Y
  2⤵
  PID:5132
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVEntStreamingManager.dll /grant /T /C
  2⤵
  PID:1196
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVEntSubsystemController.dll /A /R /D Y
  2⤵
  PID:1460
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVEntSubsystemController.dll /grant /T /C
  2⤵
  PID:3004
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVEntSubsystems64.dll /A /R /D Y
  2⤵
  PID:240
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVEntSubsystems64.dll /grant /T /C
  2⤵
  PID:1068
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVEntVirtualization.dll /A /R /D Y
  2⤵
  PID:4808
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVEntVirtualization.dll /grant /T /C
  2⤵
  PID:5472
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\appvetwclientres.dll /A /R /D Y
  2⤵
  PID:5440
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\appvetwclientres.dll /grant /T /C
  2⤵
  PID:4844
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\appvetwsharedperformance.dll /A /R /D Y
  2⤵
  PID:5184
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\appvetwsharedperformance.dll /grant /T /C
  2⤵
  PID:1200
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\appvetwstreamingux.dll /A /R /D Y
  2⤵
  PID:72
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\appvetwstreamingux.dll /grant /T /C
  2⤵
  PID:2684
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVFileSystemMetadata.dll /A /R /D Y
  2⤵
  PID:2224
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVFileSystemMetadata.dll /grant /T /C
  2⤵
  PID:5308
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVIntegration.dll /A /R /D Y
  2⤵
  PID:5164
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVIntegration.dll /grant /T /C
  2⤵
  PID:3244
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVManifest.dll /A /R /D Y
  2⤵
  PID:5148
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVManifest.dll /grant /T /C
  2⤵
  PID:5200
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVNice.exe /A /R /D Y
  2⤵
  PID:3676
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVNice.exe /grant /T /C
  2⤵
  PID:5128
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVOrchestration.dll /A /R /D Y
  2⤵
  PID:5188
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVOrchestration.dll /grant /T /C
  2⤵
  PID:2416
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVPolicy.dll /A /R /D Y
  2⤵
  PID:1488
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVPolicy.dll /grant /T /C
  2⤵
  PID:4560
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVPublishing.dll /A /R /D Y
  2⤵
  PID:6068
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVPublishing.dll /grant /T /C
  2⤵
  PID:4880
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVReporting.dll /A /R /D Y
  2⤵
  PID:3976
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVReporting.dll /grant /T /C
  2⤵
  PID:3324
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVScripting.dll /A /R /D Y
  2⤵
  PID:4704
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVScripting.dll /grant /T /C
  2⤵
  PID:2368
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVSentinel.dll /A /R /D Y
  2⤵
  PID:2768
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVSentinel.dll /grant /T /C
  2⤵
  PID:5180
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVShNotify.exe /A /R /D Y
  2⤵
  PID:2096
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVShNotify.exe /grant /T /C
  2⤵
  PID:2804
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVStreamingUX.dll /A /R /D Y
  2⤵
  PID:3768
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVStreamingUX.dll /grant /T /C
  2⤵
  PID:2172
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVStreamMap.dll /A /R /D Y
  2⤵
  PID:5792
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVStreamMap.dll /grant /T /C
  2⤵
  PID:4952
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppVTerminator.dll /A /R /D Y
  2⤵
  - Possible privilege escalation attempt
  PID:5124
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppVTerminator.dll /grant /T /C
  2⤵
  PID:5728
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\appwiz.cpl /A /R /D Y
  2⤵
  PID:4432
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\appwiz.cpl /grant /T /C
  2⤵
  PID:3688
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppxAllUserStore.dll /A /R /D Y
  2⤵
  PID:1520
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppxAllUserStore.dll /grant /T /C
  2⤵
  PID:5288
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppXApplicabilityBlob.dll /A /R /D Y
  2⤵
  PID:3364
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppXApplicabilityBlob.dll /grant /T /C
  2⤵
  PID:4076
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppxApplicabilityEngine.dll /A /R /D Y
  2⤵
  PID:5396
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppxApplicabilityEngine.dll /grant /T /C
  2⤵
  PID:3924
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppXDeploymentClient.dll /A /R /D Y
  2⤵
  PID:6020
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppXDeploymentClient.dll /grant /T /C
  2⤵
  PID:5640
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppXDeploymentExtensions.desktop.dll /A /R /D Y
  2⤵
  PID:4300
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppXDeploymentExtensions.desktop.dll /grant /T /C
  2⤵
  PID:4956
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppXDeploymentExtensions.onecore.dll /A /R /D Y
  2⤵
  PID:2700
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppXDeploymentExtensions.onecore.dll /grant /T /C
  2⤵
  PID:1756
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppXDeploymentServer.dll /A /R /D Y
  2⤵
  PID:1076
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppXDeploymentServer.dll /grant /T /C
  2⤵
  PID:5568
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppxPackaging.dll /A /R /D Y
  2⤵
  PID:3116
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppxPackaging.dll /grant /T /C
  2⤵
  PID:3956
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppxProvisioning.xml /A /R /D Y
  2⤵
  PID:5804
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppxProvisioning.xml /grant /T /C
  2⤵
  PID:5900
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppxSip.dll /A /R /D Y
  2⤵
  PID:1144
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppxSip.dll /grant /T /C
  2⤵
  PID:748
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppxStreamingDataSourcePS.dll /A /R /D Y
  2⤵
  PID:1472
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppxStreamingDataSourcePS.dll /grant /T /C
  2⤵
  PID:4244
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AppxSysprep.dll /A /R /D Y
  2⤵
  PID:5392
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AppxSysprep.dll /grant /T /C
  2⤵
  PID:3112
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\archiveint.dll /A /R /D Y
  2⤵
  PID:3840
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\archiveint.dll /grant /T /C
  2⤵
  PID:3984
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ARP.EXE /A /R /D Y
  2⤵
  PID:4360
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ARP.EXE /grant /T /C
  2⤵
  PID:464
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\asferror.dll /A /R /D Y
  2⤵
  PID:1508
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\asferror.dll /grant /T /C
  2⤵
  PID:2088
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\aspnet_counters.dll /A /R /D Y
  2⤵
  PID:5100
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\aspnet_counters.dll /grant /T /C
  2⤵
  PID:5596
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AssignedAccessCsp.dll /A /R /D Y
  2⤵
  PID:4896
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AssignedAccessCsp.dll /grant /T /C
  2⤵
  PID:3640
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AssignedAccessGuard.exe /A /R /D Y
  2⤵
  PID:3084
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AssignedAccessGuard.exe /grant /T /C
  2⤵
  PID:2932
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AssignedAccessManager.dll /A /R /D Y
  2⤵
  PID:4120
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AssignedAccessManager.dll /grant /T /C
  2⤵
  PID:4008
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\assignedaccessmanagersvc.dll /A /R /D Y
  2⤵
  PID:4464
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\assignedaccessmanagersvc.dll /grant /T /C
  2⤵
  PID:4872
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\assignedaccessproviderevents.dll /A /R /D Y
  2⤵
  PID:5700
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\assignedaccessproviderevents.dll /grant /T /C
  2⤵
  PID:460
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AssignedAccessRuntime.dll /A /R /D Y
  2⤵
  PID:1972
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AssignedAccessRuntime.dll /grant /T /C
  2⤵
  PID:1840
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AssignedAccessShellProxy.dll /A /R /D Y
  2⤵
  PID:6080
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AssignedAccessShellProxy.dll /grant /T /C
  2⤵
  PID:2996
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\asycfilt.dll /A /R /D Y
  2⤵
  PID:1092
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\asycfilt.dll /grant /T /C
  2⤵
  PID:2772
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\at.exe /A /R /D Y
  2⤵
  PID:2904
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\at.exe /grant /T /C
  2⤵
  PID:3136
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AtBroker.exe /A /R /D Y
  2⤵
  PID:2660
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AtBroker.exe /grant /T /C
  2⤵
  PID:5752
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\atl.dll /A /R /D Y
  2⤵
  PID:3008
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\atl.dll /grant /T /C
  2⤵
  PID:4468
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\atl100.dll /A /R /D Y
  2⤵
  PID:2824
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\atl100.dll /grant /T /C
  2⤵
  PID:3828
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\atl110.dll /A /R /D Y
  2⤵
  PID:3332
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\atl110.dll /grant /T /C
  2⤵
  PID:696
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\atlthunk.dll /A /R /D Y
  2⤵
  PID:5780
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\atlthunk.dll /grant /T /C
  2⤵
  PID:3100
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\atmlib.dll /A /R /D Y
  2⤵
  PID:920
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\atmlib.dll /grant /T /C
  2⤵
  PID:1560
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\attrib.exe /A /R /D Y
  2⤵
  PID:2980
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\attrib.exe /grant /T /C
  2⤵
  PID:2940
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\audiodg.exe /A /R /D Y
  2⤵
  PID:4600
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\audiodg.exe /grant /T /C
  2⤵
  PID:1524
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AudioEndpointBuilder.dll /A /R /D Y
  2⤵
  PID:3884
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AudioEndpointBuilder.dll /grant /T /C
  2⤵
  PID:3780
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AudioEng.dll /A /R /D Y
  2⤵
  PID:4932
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AudioEng.dll /grant /T /C
  2⤵
  PID:1356
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AudioHandlers.dll /A /R /D Y
  2⤵
  PID:3712
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AudioHandlers.dll /grant /T /C
  2⤵
  PID:1556
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AUDIOKSE.dll /A /R /D Y
  2⤵
  PID:5304
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AUDIOKSE.dll /grant /T /C
  2⤵
  PID:6100
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\audioresourceregistrar.dll /A /R /D Y
  2⤵
  PID:4928
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\audioresourceregistrar.dll /grant /T /C
  2⤵
  PID:5160
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AudioSes.dll /A /R /D Y
  2⤵
  PID:6116
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AudioSes.dll /grant /T /C
  2⤵
  PID:3680
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\audiosrv.dll /A /R /D Y
  2⤵
  PID:5176
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\audiosrv.dll /grant /T /C
  2⤵
  PID:5760
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AudioSrvPolicyManager.dll /A /R /D Y
  2⤵
  PID:1656
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AudioSrvPolicyManager.dll /grant /T /C
  2⤵
  PID:1492
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\auditcse.dll /A /R /D Y
  2⤵
  PID:5652
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\auditcse.dll /grant /T /C
  2⤵
  PID:5816
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AuditNativeSnapIn.dll /A /R /D Y
  2⤵
  PID:1728
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AuditNativeSnapIn.dll /grant /T /C
  2⤵
  PID:5924
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\auditpol.exe /A /R /D Y
  2⤵
  PID:1672
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\auditpol.exe /grant /T /C
  2⤵
  PID:3664
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\auditpolcore.dll /A /R /D Y
  2⤵
  PID:5468
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\auditpolcore.dll /grant /T /C
  2⤵
  PID:5136
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AuditPolicyGPInterop.dll /A /R /D Y
  2⤵
  PID:1360
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AuditPolicyGPInterop.dll /grant /T /C
  2⤵
  PID:4612
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\auditpolmsg.dll /A /R /D Y
  2⤵
  PID:2412
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\auditpolmsg.dll /grant /T /C
  2⤵
  PID:6040
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AuthBroker.dll /A /R /D Y
  2⤵
  PID:952
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AuthBroker.dll /grant /T /C
  2⤵
  PID:752
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AuthBrokerUI.dll /A /R /D Y
  2⤵
  PID:3368
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AuthBrokerUI.dll /grant /T /C
  2⤵
  PID:3636
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\authentication.dll /A /R /D Y
  2⤵
  PID:5964
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\authentication.dll /grant /T /C
  2⤵
  PID:5296
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AuthExt.dll /A /R /D Y
  2⤵
  PID:5104
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AuthExt.dll /grant /T /C
  2⤵
  PID:4556
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\authfwcfg.dll /A /R /D Y
  2⤵
  PID:5016
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\authfwcfg.dll /grant /T /C
  2⤵
  PID:4528
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AuthFWGP.dll /A /R /D Y
  2⤵
  PID:3960
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AuthFWGP.dll /grant /T /C
  2⤵
  PID:4548
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AuthFWSnapin.dll /A /R /D Y
  2⤵
  PID:3424
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AuthFWSnapin.dll /grant /T /C
  2⤵
  PID:3360
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AuthFWWizFwk.dll /A /R /D Y
  2⤵
  PID:2400
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AuthFWWizFwk.dll /grant /T /C
  2⤵
  PID:3284
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AuthHost.exe /A /R /D Y
  2⤵
  PID:5740
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AuthHost.exe /grant /T /C
  2⤵
  PID:1628
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AuthHostProxy.dll /A /R /D Y
  2⤵
  PID:3928
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AuthHostProxy.dll /grant /T /C
  2⤵
  PID:4036
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\authui.dll /A /R /D Y
  2⤵
  PID:3700
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\authui.dll /grant /T /C
  2⤵
  PID:3388
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\authz.dll /A /R /D Y
  2⤵
  PID:3904
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\authz.dll /grant /T /C
  2⤵
  PID:1512
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\autochk.exe /A /R /D Y
  2⤵
  PID:2404
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\autochk.exe /grant /T /C
  2⤵
  PID:5628
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\autopilot.dll /A /R /D Y
  2⤵
  PID:4520
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\autopilot.dll /grant /T /C
  2⤵
  PID:2216
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\autopilotdiag.dll /A /R /D Y
  2⤵
  PID:5084
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\autopilotdiag.dll /grant /T /C
  2⤵
  PID:2168
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\autoplay.dll /A /R /D Y
  2⤵
  PID:2352
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\autoplay.dll /grant /T /C
  2⤵
  PID:2376
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\autotimesvc.dll /A /R /D Y
  2⤵
  PID:1936
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\autotimesvc.dll /grant /T /C
  2⤵
  PID:2384
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AverageRoom.bin /A /R /D Y
  2⤵
  PID:3212
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AverageRoom.bin /grant /T /C
  2⤵
  PID:3220
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\avicap32.dll /A /R /D Y
  2⤵
  PID:2100
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\avicap32.dll /grant /T /C
  2⤵
  PID:1088
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\avifil32.dll /A /R /D Y
  2⤵
  PID:1084
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\avifil32.dll /grant /T /C
  2⤵
  PID:3764
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\avrt.dll /A /R /D Y
  2⤵
  PID:5272
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\avrt.dll /grant /T /C
  2⤵
  PID:3264
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AxInstSv.dll /A /R /D Y
  2⤵
  PID:1980
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AxInstSv.dll /grant /T /C
  2⤵
  PID:5916
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AxInstUI.exe /A /R /D Y
  2⤵
  PID:1632
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AxInstUI.exe /grant /T /C
  2⤵
  PID:572
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\azman.msc /A /R /D Y
  2⤵
  PID:2900
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\azman.msc /grant /T /C
  2⤵
  PID:1832
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\azroles.dll /A /R /D Y
  2⤵
  PID:3500
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\azroles.dll /grant /T /C
  2⤵
  PID:2756
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\azroleui.dll /A /R /D Y
  2⤵
  PID:4276
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\azroleui.dll /grant /T /C
  2⤵
  PID:5048
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AzSqlExt.dll /A /R /D Y
  2⤵
  PID:2032
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AzSqlExt.dll /grant /T /C
  2⤵
  PID:5616
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AzureAttest.dll /A /R /D Y
  2⤵
  PID:4780
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AzureAttest.dll /grant /T /C
  2⤵
  PID:2896
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AzureAttestManager.dll /A /R /D Y
  2⤵
  PID:360
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AzureAttestManager.dll /grant /T /C
  2⤵
  PID:3292
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\AzureAttestNormal.dll /A /R /D Y
  2⤵
  PID:1544
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\AzureAttestNormal.dll /grant /T /C
  2⤵
  PID:3656
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\baaupdate.exe /A /R /D Y
  2⤵
  PID:5456
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\baaupdate.exe /grant /T /C
  2⤵
  PID:3308
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BackgroundMediaPolicy.dll /A /R /D Y
  2⤵
  PID:2392
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BackgroundMediaPolicy.dll /grant /T /C
  2⤵
  PID:2868
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\backgroundTaskHost.exe /A /R /D Y
  2⤵
  PID:5996
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\backgroundTaskHost.exe /grant /T /C
  2⤵
  PID:3260
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BackgroundTransferHost.exe /A /R /D Y
  2⤵
  PID:488
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BackgroundTransferHost.exe /grant /T /C
  2⤵
  PID:3864
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BamSettingsClient.dll /A /R /D Y
  2⤵
  PID:5144
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BamSettingsClient.dll /grant /T /C
  2⤵
  PID:5244
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BarcodeProvisioningPlugin.dll /A /R /D Y
  2⤵
  PID:5208
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BarcodeProvisioningPlugin.dll /grant /T /C
  2⤵
  PID:5248
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\basecsp.dll /A /R /D Y
  2⤵
  PID:4748
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\basecsp.dll /grant /T /C
  2⤵
  PID:2256
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\basesrv.dll /A /R /D Y
  2⤵
  PID:808
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\basesrv.dll /grant /T /C
  2⤵
  PID:5604
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\batmeter.dll /A /R /D Y
  2⤵
  PID:3512
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\batmeter.dll /grant /T /C
  2⤵
  PID:2992
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bcastdvr.proxy.dll /A /R /D Y
  2⤵
  PID:2676
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bcastdvr.proxy.dll /grant /T /C
  2⤵
  PID:2680
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BcastDVRBroker.dll /A /R /D Y
  2⤵
  PID:5088
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BcastDVRBroker.dll /grant /T /C
  2⤵
  PID:2428
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BcastDVRClient.dll /A /R /D Y
  2⤵
  PID:3296
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BcastDVRClient.dll /grant /T /C
  2⤵
  PID:1128
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BcastDVRCommon.dll /A /R /D Y
  2⤵
  PID:2112
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BcastDVRCommon.dll /grant /T /C
  2⤵
  PID:2936
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bcastdvruserservice.dll /A /R /D Y
  2⤵
  - Modifies file permissions
  PID:2068
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bcastdvruserservice.dll /grant /T /C
  2⤵
  PID:2148
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bcd.dll /A /R /D Y
  2⤵
  PID:3384
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bcd.dll /grant /T /C
  2⤵
  PID:5600
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bcdboot.exe /A /R /D Y
  2⤵
  PID:3120
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bcdboot.exe /grant /T /C
  2⤵
  PID:5324
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bcdedit.exe /A /R /D Y
  2⤵
  PID:4272
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bcdedit.exe /grant /T /C
  2⤵
  PID:2104
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bcdprov.dll /A /R /D Y
  2⤵
  PID:2736
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bcdprov.dll /grant /T /C
  2⤵
  PID:804
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bcdsrv.dll /A /R /D Y
  2⤵
  PID:4064
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bcdsrv.dll /grant /T /C
  2⤵
  PID:5736
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BCP47Langs.dll /A /R /D Y
  2⤵
  PID:2780
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BCP47Langs.dll /grant /T /C
  2⤵
  PID:3000
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BCP47mrm.dll /A /R /D Y
  2⤵
  PID:200
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BCP47mrm.dll /grant /T /C
  2⤵
  PID:5548
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bcrypt.dll /A /R /D Y
  2⤵
  PID:5216
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bcrypt.dll /grant /T /C
  2⤵
  PID:5036
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bcryptprimitives.dll /A /R /D Y
  2⤵
  PID:1224
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bcryptprimitives.dll /grant /T /C
  2⤵
  PID:1756
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bdaplgin.ax /A /R /D Y
  2⤵
  PID:1924
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bdaplgin.ax /grant /T /C
  2⤵
  PID:2944
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bdechangepin.exe /A /R /D Y
  2⤵
  PID:3020
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bdechangepin.exe /grant /T /C
  2⤵
  PID:2304
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BdeHdCfg.exe /A /R /D Y
  2⤵
  PID:132
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BdeHdCfg.exe /grant /T /C
  2⤵
  PID:444
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BdeHdCfgLib.dll /A /R /D Y
  2⤵
  PID:436
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BdeHdCfgLib.dll /grant /T /C
  2⤵
  PID:1648
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bderepair.dll /A /R /D Y
  2⤵
  PID:1760
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bderepair.dll /grant /T /C
  2⤵
  PID:4720
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bdesvc.dll /A /R /D Y
  2⤵
  PID:5812
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bdesvc.dll /grant /T /C
  2⤵
  PID:4040
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BdeSysprep.dll /A /R /D Y
  2⤵
  PID:3444
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BdeSysprep.dll /grant /T /C
  2⤵
  PID:6032
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bdeui.dll /A /R /D Y
  2⤵
  PID:5044
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bdeui.dll /grant /T /C
  2⤵
  PID:5064
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BdeUISrv.exe /A /R /D Y
  2⤵
  PID:1532
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BdeUISrv.exe /grant /T /C
  2⤵
  PID:780
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bdeunlock.exe /A /R /D Y
  2⤵
  PID:2888
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bdeunlock.exe /grant /T /C
  2⤵
  PID:4920
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BFE.DLL /A /R /D Y
  2⤵
  PID:3748
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BFE.DLL /grant /T /C
  2⤵
  PID:1100
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bi.dll /A /R /D Y
  2⤵
  PID:6092
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bi.dll /grant /T /C
  2⤵
  PID:1308
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bidispl.dll /A /R /D Y
  2⤵
  PID:396
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bidispl.dll /grant /T /C
  2⤵
  PID:5328
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bindfltapi.dll /A /R /D Y
  2⤵
  PID:2276
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bindfltapi.dll /grant /T /C
  2⤵
  PID:1384
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BingASDS.dll /A /R /D Y
  2⤵
  PID:3716
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BingASDS.dll /grant /T /C
  2⤵
  PID:5408
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BingFilterDS.dll /A /R /D Y
  2⤵
  PID:3412
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BingFilterDS.dll /grant /T /C
  2⤵
  PID:4924
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BingMaps.dll /A /R /D Y
  2⤵
  PID:3856
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BingMaps.dll /grant /T /C
  2⤵
  PID:1168
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BingOnlineServices.dll /A /R /D Y
  2⤵
  PID:1644
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BingOnlineServices.dll /grant /T /C
  2⤵
  PID:1976
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BioCredProv.dll /A /R /D Y
  2⤵
  PID:3240
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BioCredProv.dll /grant /T /C
  2⤵
  PID:468
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BioIso.exe /A /R /D Y
  2⤵
  PID:5796
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BioIso.exe /grant /T /C
  2⤵
  PID:1208
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bisrv.dll /A /R /D Y
  2⤵
  PID:2572
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bisrv.dll /grant /T /C
  2⤵
  PID:1968
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BitLockerCsp.dll /A /R /D Y
  2⤵
  PID:6000
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BitLockerCsp.dll /grant /T /C
  2⤵
  PID:5908
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BitLockerDeviceEncryption.exe /A /R /D Y
  2⤵
  PID:2076
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BitLockerDeviceEncryption.exe /grant /T /C
  2⤵
  PID:3920
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BitLockerWizard.exe /A /R /D Y
  2⤵
  PID:492
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BitLockerWizard.exe /grant /T /C
  2⤵
  PID:5624
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BitLockerWizardElev.exe /A /R /D Y
  2⤵
  PID:4624
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BitLockerWizardElev.exe /grant /T /C
  2⤵
  PID:5860
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bitsadmin.exe /A /R /D Y
  2⤵
  PID:1204
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bitsadmin.exe /grant /T /C
  2⤵
  PID:388
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bitsigd.dll /A /R /D Y
  2⤵
  PID:4052
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bitsigd.dll /grant /T /C
  2⤵
  PID:5936
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bitsperf.dll /A /R /D Y
  2⤵
  PID:932
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bitsperf.dll /grant /T /C
  2⤵
  PID:1920
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BitsProxy.dll /A /R /D Y
  2⤵
  PID:1848
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BitsProxy.dll /grant /T /C
  2⤵
  PID:1184
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\biwinrt.dll /A /R /D Y
  2⤵
  PID:3696
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\biwinrt.dll /grant /T /C
  2⤵
  PID:956
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BlbEvents.dll /A /R /D Y
  2⤵
  PID:4996
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BlbEvents.dll /grant /T /C
  2⤵
  PID:6112
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\blbres.dll /A /R /D Y
  2⤵
  PID:4532
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\blbres.dll /grant /T /C
  2⤵
  PID:6096
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\blb_ps.dll /A /R /D Y
  2⤵
  PID:4800
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\blb_ps.dll /grant /T /C
  2⤵
  PID:1096
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BluetoothApis.dll /A /R /D Y
  2⤵
  PID:5176
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BluetoothApis.dll /grant /T /C
  2⤵
  PID:3952
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BluetoothDesktopHandlers.dll /A /R /D Y
  2⤵
  PID:3300
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BluetoothDesktopHandlers.dll /grant /T /C
  2⤵
  PID:908
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BluetoothPairingSystemToastIcon.contrast-black.png /A /R /D Y
  2⤵
  PID:4280
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BluetoothPairingSystemToastIcon.contrast-black.png /grant /T /C
  2⤵
  PID:5452
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BluetoothPairingSystemToastIcon.contrast-high.png /A /R /D Y
  2⤵
  PID:5152
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BluetoothPairingSystemToastIcon.contrast-high.png /grant /T /C
  2⤵
  PID:5192
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BluetoothPairingSystemToastIcon.contrast-white.png /A /R /D Y
  2⤵
  PID:568
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BluetoothPairingSystemToastIcon.contrast-white.png /grant /T /C
  2⤵
  PID:3436
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BluetoothPairingSystemToastIcon.png /A /R /D Y
  2⤵
  PID:2844
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BluetoothPairingSystemToastIcon.png /grant /T /C
  2⤵
  PID:4692
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BluetoothSystemToastIcon.contrast-white.png /A /R /D Y
  2⤵
  PID:1984
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BluetoothSystemToastIcon.contrast-white.png /grant /T /C
  2⤵
  PID:4612
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BluetoothSystemToastIcon.png /A /R /D Y
  2⤵
  PID:1564
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BluetoothSystemToastIcon.png /grant /T /C
  2⤵
  PID:6040
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bnmanager.dll /A /R /D Y
  2⤵
  PID:952
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bnmanager.dll /grant /T /C
  2⤵
  PID:752
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\boot.sdi /A /R /D Y
  2⤵
  PID:3368
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\boot.sdi /grant /T /C
  2⤵
  PID:3636
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bootim.exe /A /R /D Y
  2⤵
  PID:2000
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bootim.exe /grant /T /C
  2⤵
  PID:5296
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BootMenuUX.dll /A /R /D Y
  2⤵
  PID:5104
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BootMenuUX.dll /grant /T /C
  2⤵
  PID:4556
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bootsect.exe /A /R /D Y
  2⤵
  PID:3692
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bootsect.exe /grant /T /C
  2⤵
  PID:4528
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bootstr.dll /A /R /D Y
  2⤵
  PID:3960
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bootstr.dll /grant /T /C
  2⤵
  PID:4548
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bootsvc.dll /A /R /D Y
  2⤵
  PID:5876
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bootsvc.dll /grant /T /C
  2⤵
  PID:3360
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bootux.dll /A /R /D Y
  2⤵
  PID:2400
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bootux.dll /grant /T /C
  2⤵
  PID:3284
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BOOTVID.DLL /A /R /D Y
  2⤵
  PID:5940
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BOOTVID.DLL /grant /T /C
  2⤵
  PID:1628
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bopomofo.uce /A /R /D Y
  2⤵
  PID:5444
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bopomofo.uce /grant /T /C
  2⤵
  PID:4036
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bridgeres.dll /A /R /D Y
  2⤵
  PID:3700
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bridgeres.dll /grant /T /C
  2⤵
  PID:3388
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bridgeunattend.exe /A /R /D Y
  2⤵
  PID:3904
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bridgeunattend.exe /grant /T /C
  2⤵
  PID:1512
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BrokerLib.dll /A /R /D Y
  2⤵
  PID:6056
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BrokerLib.dll /grant /T /C
  2⤵
  PID:5628
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\browcli.dll /A /R /D Y
  2⤵
  PID:4356
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\browcli.dll /grant /T /C
  2⤵
  PID:2240
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\browserbroker.dll /A /R /D Y
  2⤵
  PID:1680
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\browserbroker.dll /grant /T /C
  2⤵
  PID:3476
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\browserexport.exe /A /R /D Y
  2⤵
  PID:3672
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\browserexport.exe /grant /T /C
  2⤵
  PID:2376
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\browser_broker.exe /A /R /D Y
  2⤵
  PID:1936
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\browser_broker.exe /grant /T /C
  2⤵
  PID:2352
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\browseui.dll /A /R /D Y
  2⤵
  PID:684
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\browseui.dll /grant /T /C
  2⤵
  PID:4544
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BTAGService.dll /A /R /D Y
  2⤵
  PID:244
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BTAGService.dll /grant /T /C
  2⤵
  PID:6052
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\btbcf4pn72xqw.exe /A /R /D Y
  2⤵
  PID:1088
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\btbcf4pn72xqw.exe /grant /T /C
  2⤵
  PID:3764
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BthAvctpSvc.dll /A /R /D Y
  2⤵
  PID:5272
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BthAvctpSvc.dll /grant /T /C
  2⤵
  - Possible privilege escalation attempt
  PID:3264
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BthAvrcp.dll /A /R /D Y
  2⤵
  PID:1980
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BthAvrcp.dll /grant /T /C
  2⤵
  PID:2100
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BthAvrcpAppSvc.dll /A /R /D Y
  2⤵
  PID:5916
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BthAvrcpAppSvc.dll /grant /T /C
  2⤵
  PID:572
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bthci.dll /A /R /D Y
  2⤵
  PID:2900
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bthci.dll /grant /T /C
  2⤵
  PID:1832
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BthMtpContextHandler.dll /A /R /D Y
  2⤵
  PID:3500
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BthMtpContextHandler.dll /grant /T /C
  2⤵
  PID:2756
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bthpanapi.dll /A /R /D Y
  2⤵
  PID:5132
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bthpanapi.dll /grant /T /C
  2⤵
  PID:5048
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BthpanContextHandler.dll /A /R /D Y
  2⤵
  PID:1824
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BthpanContextHandler.dll /grant /T /C
  2⤵
  PID:5616
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bthprops.cpl /A /R /D Y
  2⤵
  PID:4780
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bthprops.cpl /grant /T /C
  2⤵
  PID:2896
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BthRadioMedia.dll /A /R /D Y
  2⤵
  PID:360
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BthRadioMedia.dll /grant /T /C
  2⤵
  PID:3292
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bthserv.dll /A /R /D Y
  2⤵
  PID:5440
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bthserv.dll /grant /T /C
  2⤵
  PID:3656
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BthTelemetry.dll /A /R /D Y
  2⤵
  PID:5456
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BthTelemetry.dll /grant /T /C
  2⤵
  PID:4012
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\bthudtask.exe /A /R /D Y
  2⤵
  PID:3308
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\bthudtask.exe /grant /T /C
  2⤵
  PID:2868
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\btpanui.dll /A /R /D Y
  2⤵
  PID:2224
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\btpanui.dll /grant /T /C
  2⤵
  PID:3260
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\Bubbles.scr /A /R /D Y
  2⤵
  PID:488
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\Bubbles.scr /grant /T /C
  2⤵
  PID:3864
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\BWContextHandler.dll /A /R /D Y
  2⤵
  PID:5148
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\BWContextHandler.dll /grant /T /C
  2⤵
  PID:5244
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\ByteCodeGenerator.exe /A /R /D Y
  2⤵
  PID:5208
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\ByteCodeGenerator.exe /grant /T /C
  2⤵
  PID:5248
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\cabapi.dll /A /R /D Y
  2⤵
  PID:5188
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\cabapi.dll /grant /T /C
  2⤵
  PID:2256
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\cabinet.dll /A /R /D Y
  2⤵
  PID:808
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\cabinet.dll /grant /T /C
  2⤵
  PID:5604
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\cabview.dll /A /R /D Y
  2⤵
  PID:3512
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\cabview.dll /grant /T /C
  2⤵
  PID:2992
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\cacls.exe /A /R /D Y
  2⤵
  PID:2536
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\cacls.exe /grant /T /C
  2⤵
  PID:2680
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\calc.exe /A /R /D Y
  2⤵
  PID:5204
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\calc.exe /grant /T /C
  2⤵
  PID:2428
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\CallButtons.dll /A /R /D Y
  2⤵
  PID:2244
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\CallButtons.dll /grant /T /C
  2⤵
  PID:1128
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\CallButtons.ProxyStub.dll /A /R /D Y
  2⤵
  PID:4508
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\CallButtons.ProxyStub.dll /grant /T /C
  2⤵
  PID:2936
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\CallHistoryClient.dll /A /R /D Y
  2⤵
  PID:2068
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\CallHistoryClient.dll /grant /T /C
  2⤵
  PID:2148
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\CameraCaptureUI.dll /A /R /D Y
  2⤵
  PID:3384
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\CameraCaptureUI.dll /grant /T /C
  2⤵
  PID:5600
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\CameraSettingsUIHost.exe /A /R /D Y
  2⤵
  PID:3120
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\CameraSettingsUIHost.exe /grant /T /C
  2⤵
  PID:5324
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\CapabilityAccessHandlers.dll /A /R /D Y
  2⤵
  PID:4272
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\CapabilityAccessHandlers.dll /grant /T /C
  2⤵
  PID:2104
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\CapabilityAccessManager.dll /A /R /D Y
  2⤵
  PID:2800
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\CapabilityAccessManager.dll /grant /T /C
  2⤵
  PID:4668
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\CapabilityAccessManagerClient.dll /A /R /D Y
  2⤵
  PID:3364
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\CapabilityAccessManagerClient.dll /grant /T /C
  2⤵
  PID:5972
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\capauthz.dll /A /R /D Y
  2⤵
  PID:4116
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\capauthz.dll /grant /T /C
  2⤵
  PID:2796
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\capiprovider.dll /A /R /D Y
  2⤵
  PID:4212
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\capiprovider.dll /grant /T /C
  2⤵
  PID:4960
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\capisp.dll /A /R /D Y
  2⤵
  PID:3600
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\capisp.dll /grant /T /C
  2⤵
  PID:4956
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\CaptureService.dll /A /R /D Y
  2⤵
  PID:5756
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\CaptureService.dll /grant /T /C
  2⤵
  PID:2700
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\CastingShellExt.dll /A /R /D Y
  2⤵
  PID:1076
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\CastingShellExt.dll /grant /T /C
  2⤵
  PID:4432
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\CastLaunch.dll /A /R /D Y
  2⤵
  PID:2816
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\CastLaunch.dll /grant /T /C
  2⤵
  PID:3956
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\CastSrv.exe /A /R /D Y
  2⤵
  PID:344
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\CastSrv.exe /grant /T /C
  2⤵
  PID:3880
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\catsrv.dll /A /R /D Y
  2⤵
  PID:1144
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\catsrv.dll /grant /T /C
  2⤵
  PID:5804
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\catsrvps.dll /A /R /D Y
  2⤵
  PID:1300
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\catsrvps.dll /grant /T /C
  2⤵
  - Modifies file permissions
  PID:1472
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\catsrvut.dll /A /R /D Y
  2⤵
  PID:1676
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\catsrvut.dll /grant /T /C
  2⤵
  PID:5388
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\CBDHSvc.dll /A /R /D Y
  2⤵
  PID:3840
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\CBDHSvc.dll /grant /T /C
  2⤵
  - Possible privilege escalation attempt
  PID:5392
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\cca.dll /A /R /D Y
  2⤵
  PID:3056
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\cca.dll /grant /T /C
  2⤵
  PID:464
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\cdd.dll /A /R /D Y
  2⤵
  PID:2792
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\cdd.dll /grant /T /C
  2⤵
  PID:2088
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\cdosys.dll /A /R /D Y
  2⤵
  PID:5100
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\cdosys.dll /grant /T /C
  2⤵
  PID:1508
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\cdp.dll /A /R /D Y
  2⤵
  PID:4896
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\cdp.dll /grant /T /C
  2⤵
  PID:4048
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\cdprt.dll /A /R /D Y
  2⤵
  PID:1240
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\cdprt.dll /grant /T /C
  2⤵
  PID:2932
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\cdpsvc.dll /A /R /D Y
  2⤵
  PID:5888
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\cdpsvc.dll /grant /T /C
  2⤵
  PID:4008
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\cdpusersvc.dll /A /R /D Y
  2⤵
  PID:4464
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\cdpusersvc.dll /grant /T /C
  2⤵
  PID:4872
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\cellulardatacapabilityhandler.dll /A /R /D Y
  2⤵
  PID:5700
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\cellulardatacapabilityhandler.dll /grant /T /C
  2⤵
  PID:4908
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\cemapi.dll /A /R /D Y
  2⤵
  PID:5776
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\cemapi.dll /grant /T /C
  2⤵
  PID:1840
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\cero.rs /A /R /D Y
  2⤵
  PID:6080
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\cero.rs /grant /T /C
  2⤵
  PID:2996
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\certca.dll /A /R /D Y
  2⤵
  PID:3272
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\certca.dll /grant /T /C
  2⤵
  PID:1092
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\certcli.dll /A /R /D Y
  2⤵
  PID:3240
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\certcli.dll /grant /T /C
  2⤵
  PID:2904
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\certCredProvider.dll /A /R /D Y
  2⤵
  PID:5032
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\certCredProvider.dll /grant /T /C
  2⤵
  PID:3044
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\certenc.dll /A /R /D Y
  2⤵
  PID:5004
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\certenc.dll /grant /T /C
  2⤵
  PID:2660
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\CertEnroll.dll /A /R /D Y
  2⤵
  PID:1912
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\CertEnroll.dll /grant /T /C
  2⤵
  PID:2824
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\CertEnrollCtrl.exe /A /R /D Y
  2⤵
  PID:3548
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\CertEnrollCtrl.exe /grant /T /C
  2⤵
  PID:3528
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\CertEnrollUI.dll /A /R /D Y
  2⤵
  PID:3936
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\CertEnrollUI.dll /grant /T /C
  2⤵
  PID:3332
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\certlm.msc /A /R /D Y
  2⤵
  PID:4948
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\certlm.msc /grant /T /C
  2⤵
  PID:1364
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\certmgr.dll /A /R /D Y
  2⤵
  PID:2980
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\Windows\System32\certmgr.dll /grant /T /C
  2⤵
  PID:2940
- C:\Windows\system32\takeown.exe
  "C:\Windows\system32\takeown.exe" /F C:\Windows\System32\certmgr.msc /A /R /D Y
  2⤵
  PID:1368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Print Processors

T1547.012

Power Settings

T1653

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Print Processors

T1547.012

Defense Evasion

File and Directory Permissions Modification

T1222

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Indirect Command Execution

T1202

Credential Access

Discovery

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_isibembv.5in.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4080-0-0x00007FFECB8F3000-0x00007FFECB8F5000-memory.dmp

Filesize
8KB

Download
memory/4080-9-0x0000023E310A0000-0x0000023E310C2000-memory.dmp

Filesize
136KB

Download
memory/4080-10-0x00007FFECB8F0000-0x00007FFECC3B2000-memory.dmp

Filesize
10.8MB

Download
memory/4080-11-0x00007FFECB8F0000-0x00007FFECC3B2000-memory.dmp

Filesize
10.8MB

Download
memory/4080-12-0x00007FFECB8F0000-0x00007FFECC3B2000-memory.dmp

Filesize
10.8MB

Download
memory/4080-13-0x00007FFECB8F3000-0x00007FFECB8F5000-memory.dmp

Filesize
8KB

Download
memory/4080-14-0x00007FFECB8F0000-0x00007FFECC3B2000-memory.dmp

Filesize
10.8MB

Download