1364cbf8358f78f83cd39bcbfd21ea8dbff81c4e9d7e28729b816db95b04eefd

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/10/2024, 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
Size

7.7MB
MD5

91de74e4426f8c9118495c56d5fa6b2d
SHA1

4797f529e20ff69179cab3dc21b81fbd3a62d6bd
SHA256

7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4
SHA512

eb955bc67efa46a26d37a382dcb931841151f5c55dfa77d2edc6361927a82953e3a86e77042bd6cb02c0a08a5f566e0335d3f09fca3e09927e1a3ead291520ee
SSDEEP

98304:BTrszeuqmeuxWJEO7OdL3vu6+er0NGBJMV1ZAU6tSOsd:1juqmeuxhAiW6yAJMVd6M/d

Score

9^/10

discovery ransomware spyware stealer

Malware Config

Signatures

Renames multiple (1529) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
752	takeown.exe
3696	takeown.exe
2540	takeown.exe
3420	Process not Found
748	takeown.exe
2176	takeown.exe
3440	takeown.exe
3692	takeown.exe
5016	takeown.exe
3164	takeown.exe
2348	Process not Found
1828	takeown.exe
5112	takeown.exe
4576	takeown.exe
4600	takeown.exe
3868	Process not Found
4552	Process not Found
2724	Process not Found
4900	takeown.exe
4376	takeown.exe
4760	takeown.exe
4888	takeown.exe
5112	takeown.exe
1100	takeown.exe
1752	Process not Found
4740	Process not Found
3224	Process not Found
1408	takeown.exe
3536	Process not Found
5112	takeown.exe
2736	takeown.exe
4896	takeown.exe
3316	takeown.exe
4888	Process not Found
2348	Process not Found
1992	Process not Found
4740	takeown.exe
212	takeown.exe
1664	takeown.exe
4092	takeown.exe
1624	takeown.exe
3880	takeown.exe
3284	Process not Found
2692	Process not Found
1392	Process not Found
1100	Process not Found
4704	Process not Found
2216	Process not Found
2176	takeown.exe
3048	takeown.exe
1064	Process not Found
2916	Process not Found
4600	takeown.exe
2804	takeown.exe
5064	takeown.exe
1360	takeown.exe
4516	takeown.exe
3540	Process not Found
3036	Process not Found
232	takeown.exe
2324	takeown.exe
744	takeown.exe
2804	takeown.exe
1592	takeown.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.dll.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OsfTaskengine.dll.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\Interceptor.dll.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Metadata.dll.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libsdl_image_plugin.dll.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\FM20.CHM.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CHAKRACORE.DLL.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8EN.LEX.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\Microsoft Office\root\rsod\office.x-none.msi.16.x-none.tree.dat.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\GetPop.ppsx.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Dataflow.dll.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_uk.json.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Entity.Resources.dll.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libavcodec_plugin.dll.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingEngine.dll.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\Windows Photo Viewer\PhotoAcq.dll.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.dll.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\csi.dll.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8ES.LEX.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSYH.TTC.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\Java\jre-1.8\lib\charsets.jar.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENFR\MSB1ENFR.ITS.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\coreclr.dll.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8ES.LEX.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\Office.UI.Xaml.Word.dll.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Dataflow.dll.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Mail.dll.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Xml.XmlSerializer.dll.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Graphics.Canvas.dll.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\PartyChat.dll.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Runtime.dll.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\7-Zip\7zFM.exe.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\Common Files\System\wab32.dll.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Data.ConnectionUI.Dialog.dll.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.resources.dll.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Res.dll.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clrjit.dll.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_73343\javaws.exe.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\msolap.dll.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Checkers.api.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7en.dll.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Drawing.Common.dll.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-de_de_2x.gif.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OCSCLIENTWIN32.DLL.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\TelemetryUWP.dll.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ChakraCore.Debugger.dll.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files (x86)\Internet Explorer\ieinstal.exe.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\IGX.DLL.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Xml.dll.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\CameraApp.Native.dll.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\WinMetadata\Windows.winmd.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\coreclr.dll.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\TrackingDLL.dll.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-es_es_2x.gif.ghost	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4200	takeown.exe
Token: SeTakeOwnershipPrivilege	764	takeown.exe
Token: SeTakeOwnershipPrivilege	2652	takeown.exe
Token: SeTakeOwnershipPrivilege	748	takeown.exe
Token: SeTakeOwnershipPrivilege	752	takeown.exe
Token: SeTakeOwnershipPrivilege	3896	takeown.exe
Token: SeTakeOwnershipPrivilege	4888	takeown.exe
Token: SeTakeOwnershipPrivilege	4828	takeown.exe
Token: SeTakeOwnershipPrivilege	1168	takeown.exe
Token: SeTakeOwnershipPrivilege	4976	takeown.exe
Token: SeTakeOwnershipPrivilege	3424	takeown.exe
Token: SeTakeOwnershipPrivilege	4892	takeown.exe
Token: SeTakeOwnershipPrivilege	5032	takeown.exe
Token: SeTakeOwnershipPrivilege	2344	takeown.exe
Token: SeTakeOwnershipPrivilege	488	takeown.exe
Token: SeTakeOwnershipPrivilege	3280	takeown.exe
Token: SeTakeOwnershipPrivilege	2348	takeown.exe
Token: SeTakeOwnershipPrivilege	4800	takeown.exe
Token: SeTakeOwnershipPrivilege	2964	takeown.exe
Token: SeTakeOwnershipPrivilege	4336	takeown.exe
Token: SeTakeOwnershipPrivilege	748	takeown.exe
Token: SeTakeOwnershipPrivilege	1476	takeown.exe
Token: SeTakeOwnershipPrivilege	2004	takeown.exe
Token: SeTakeOwnershipPrivilege	4836	takeown.exe
Token: SeTakeOwnershipPrivilege	4912	takeown.exe
Token: SeTakeOwnershipPrivilege	3296	takeown.exe
Token: SeTakeOwnershipPrivilege	1284	takeown.exe
Token: SeTakeOwnershipPrivilege	368	takeown.exe
Token: SeTakeOwnershipPrivilege	2780	takeown.exe
Token: SeTakeOwnershipPrivilege	2348	takeown.exe
Token: SeTakeOwnershipPrivilege	4800	takeown.exe
Token: SeTakeOwnershipPrivilege	1752	takeown.exe
Token: SeTakeOwnershipPrivilege	4612	takeown.exe
Token: SeTakeOwnershipPrivilege	2428	takeown.exe
Token: SeTakeOwnershipPrivilege	2004	takeown.exe
Token: SeTakeOwnershipPrivilege	660	takeown.exe
Token: SeTakeOwnershipPrivilege	4160	takeown.exe
Token: SeTakeOwnershipPrivilege	1168	takeown.exe
Token: SeTakeOwnershipPrivilege	1940	takeown.exe
Token: SeTakeOwnershipPrivilege	3048	takeown.exe
Token: SeTakeOwnershipPrivilege	348	takeown.exe
Token: SeTakeOwnershipPrivilege	1104	takeown.exe
Token: SeTakeOwnershipPrivilege	3316	takeown.exe
Token: SeTakeOwnershipPrivilege	3360	takeown.exe
Token: SeTakeOwnershipPrivilege	2360	takeown.exe
Token: SeTakeOwnershipPrivilege	1100	takeown.exe
Token: SeTakeOwnershipPrivilege	4880	takeown.exe
Token: SeTakeOwnershipPrivilege	1988	takeown.exe
Token: SeTakeOwnershipPrivilege	464	takeown.exe
Token: SeTakeOwnershipPrivilege	436	takeown.exe
Token: SeTakeOwnershipPrivilege	1516	takeown.exe
Token: SeTakeOwnershipPrivilege	5112	takeown.exe
Token: SeTakeOwnershipPrivilege	1836	takeown.exe
Token: SeTakeOwnershipPrivilege	3304	takeown.exe
Token: SeTakeOwnershipPrivilege	5108	takeown.exe
Token: SeTakeOwnershipPrivilege	212	takeown.exe
Token: SeTakeOwnershipPrivilege	2340	takeown.exe
Token: SeTakeOwnershipPrivilege	1404	takeown.exe
Token: SeTakeOwnershipPrivilege	5072	takeown.exe
Token: SeTakeOwnershipPrivilege	1252	takeown.exe
Token: SeTakeOwnershipPrivilege	1616	takeown.exe
Token: SeTakeOwnershipPrivilege	4824	takeown.exe
Token: SeTakeOwnershipPrivilege	3684	takeown.exe
Token: SeTakeOwnershipPrivilege	8	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 868	952	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe	101
PID 952 wrote to memory of 868	952	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe	101
PID 868 wrote to memory of 4200	868	cmd.exe	103
PID 868 wrote to memory of 4200	868	cmd.exe	103
PID 952 wrote to memory of 4044	952	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe	105
PID 952 wrote to memory of 4044	952	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe	105
PID 4044 wrote to memory of 764	4044	cmd.exe	107
PID 4044 wrote to memory of 764	4044	cmd.exe	107
PID 952 wrote to memory of 2428	952	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe	108
PID 952 wrote to memory of 2428	952	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe	108
PID 2428 wrote to memory of 2652	2428	cmd.exe	110
PID 2428 wrote to memory of 2652	2428	cmd.exe	110
PID 952 wrote to memory of 4288	952	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe	111
PID 952 wrote to memory of 4288	952	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe	111
PID 4288 wrote to memory of 748	4288	cmd.exe	113
PID 4288 wrote to memory of 748	4288	cmd.exe	113
PID 952 wrote to memory of 1040	952	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe	114
PID 952 wrote to memory of 1040	952	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe	114
PID 1040 wrote to memory of 752	1040	cmd.exe	116
PID 1040 wrote to memory of 752	1040	cmd.exe	116
PID 952 wrote to memory of 4900	952	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe	117
PID 952 wrote to memory of 4900	952	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe	117
PID 4900 wrote to memory of 3896	4900	cmd.exe	119
PID 4900 wrote to memory of 3896	4900	cmd.exe	119
PID 952 wrote to memory of 4260	952	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe	120
PID 952 wrote to memory of 4260	952	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe	120
PID 4260 wrote to memory of 4888	4260	cmd.exe	122
PID 4260 wrote to memory of 4888	4260	cmd.exe	122
PID 952 wrote to memory of 4788	952	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe	123
PID 952 wrote to memory of 4788	952	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe	123
PID 4788 wrote to memory of 4828	4788	cmd.exe	125
PID 4788 wrote to memory of 4828	4788	cmd.exe	125
PID 952 wrote to memory of 4412	952	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe	126
PID 952 wrote to memory of 4412	952	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe	126
PID 4412 wrote to memory of 1168	4412	cmd.exe	128
PID 4412 wrote to memory of 1168	4412	cmd.exe	128
PID 952 wrote to memory of 984	952	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe	129
PID 952 wrote to memory of 984	952	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe	129
PID 984 wrote to memory of 4540	984	cmd.exe	131
PID 984 wrote to memory of 4540	984	cmd.exe	131
PID 952 wrote to memory of 1512	952	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe	132
PID 952 wrote to memory of 1512	952	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe	132
PID 1512 wrote to memory of 2780	1512	cmd.exe	134
PID 1512 wrote to memory of 2780	1512	cmd.exe	134
PID 952 wrote to memory of 3852	952	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe	135
PID 952 wrote to memory of 3852	952	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe	135
PID 3852 wrote to memory of 744	3852	cmd.exe	137
PID 3852 wrote to memory of 744	3852	cmd.exe	137
PID 952 wrote to memory of 1596	952	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe	138
PID 952 wrote to memory of 1596	952	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe	138
PID 1596 wrote to memory of 4536	1596	cmd.exe	140
PID 1596 wrote to memory of 4536	1596	cmd.exe	140
PID 952 wrote to memory of 3600	952	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe	141
PID 952 wrote to memory of 3600	952	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe	141
PID 3600 wrote to memory of 4984	3600	cmd.exe	143
PID 3600 wrote to memory of 4984	3600	cmd.exe	143
PID 952 wrote to memory of 1084	952	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe	144
PID 952 wrote to memory of 1084	952	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe	144
PID 1084 wrote to memory of 2448	1084	cmd.exe	146
PID 1084 wrote to memory of 2448	1084	cmd.exe	146
PID 952 wrote to memory of 2652	952	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe	147
PID 952 wrote to memory of 2652	952	7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe	147
PID 2652 wrote to memory of 748	2652	cmd.exe	149
PID 2652 wrote to memory of 748	2652	cmd.exe	149

C:\Users\Admin\AppData\Local\Temp\7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
"C:\Users\Admin\AppData\Local\Temp\7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:952
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\Windows\servicing\TrustedInstaller.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\Windows\servicing\TrustedInstaller.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4200
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mshwjpnr.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mshwjpnr.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:764
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mshwjpnr.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mshwjpnr.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2652
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mshwjpnr.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mshwjpnr.dll"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:748
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mshwjpnr.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mshwjpnr.dll"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:752
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mshwjpnr.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mshwjpnr.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3896
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mshwjpnr.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4260
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mshwjpnr.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4888
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mshwjpnr.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mshwjpnr.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4828
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mshwjpnr.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4412
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mshwjpnr.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1168
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:984
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe"
    3⤵
    PID:4540
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe"
    3⤵
    PID:2780
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3852
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe"
    3⤵
    PID:744
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe"
    3⤵
    PID:4536
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\Users\Admin\AppData\Local\Temp\7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3600
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\Users\Admin\AppData\Local\Temp\7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
    3⤵
    PID:4984
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\Users\Admin\AppData\Local\Temp\7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\Users\Admin\AppData\Local\Temp\7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
    3⤵
    PID:2448
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\Users\Admin\AppData\Local\Temp\7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\Users\Admin\AppData\Local\Temp\7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
    3⤵
    PID:748
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\Users\Admin\AppData\Local\Temp\7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
  2⤵
  PID:4988
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\Users\Admin\AppData\Local\Temp\7804e09b2ba224bae06bf23ca2a8b8d668d58b828a8d5aadbbb21c3b7e2acfc4.exe
    3⤵
    PID:1576
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrespsh.dat"
  2⤵
  PID:1572
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrespsh.dat"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4976
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrespsh.dat"
  2⤵
  PID:3284
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrespsh.dat"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3424
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrespsh.dat"
  2⤵
  PID:5060
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrespsh.dat"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4892
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrespsh.dat"
  2⤵
  PID:3880
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrespsh.dat"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5032
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwritash.dat"
  2⤵
  PID:2176
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwritash.dat"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2344
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwritash.dat"
  2⤵
  PID:4572
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwritash.dat"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:488
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwritash.dat"
  2⤵
  PID:2180
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwritash.dat"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3280
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwritash.dat"
  2⤵
  PID:212
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwritash.dat"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2348
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrdeush.dat"
  2⤵
  PID:5072
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrdeush.dat"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4800
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrdeush.dat"
  2⤵
  PID:3104
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrdeush.dat"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2964
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrdeush.dat"
  2⤵
  PID:3764
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrdeush.dat"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4336
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrdeush.dat"
  2⤵
  PID:4044
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrdeush.dat"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:748
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mraut.dll"
  2⤵
  PID:4740
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mraut.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1476
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mraut.dll"
  2⤵
  PID:1576
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mraut.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2004
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mraut.dll"
  2⤵
  PID:696
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mraut.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4836
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mraut.dll"
  2⤵
  PID:3540
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mraut.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4912
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mraut.dll"
  2⤵
  PID:4828
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mraut.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3296
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mraut.dll"
  2⤵
  PID:4276
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mraut.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1284
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mraut.dll"
  2⤵
  PID:3124
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mraut.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:368
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mraut.dll"
  2⤵
  PID:3200
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mraut.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2780
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll"
  2⤵
  PID:4516
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2348
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll"
  2⤵
  PID:4420
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4800
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll"
  2⤵
  PID:5072
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1752
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll"
  2⤵
  PID:3104
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4612
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll"
  2⤵
  PID:964
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2428
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll"
  2⤵
  PID:4900
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2004
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll"
  2⤵
  PID:5092
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:660
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll"
  2⤵
  PID:2668
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4160
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll"
  2⤵
  PID:5112
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1168
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll"
  2⤵
  PID:1836
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1940
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll"
  2⤵
  PID:3620
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3048
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll"
  2⤵
  PID:468
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:348
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat"
  2⤵
  PID:4004
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1104
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat"
  2⤵
  PID:4316
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3316
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat"
  2⤵
  PID:3852
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3360
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat"
  2⤵
  PID:2240
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2360
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrfrash.dat"
  2⤵
  PID:2964
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrfrash.dat"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1100
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrfrash.dat"
  2⤵
  PID:2292
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrfrash.dat"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4880
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrfrash.dat"
  2⤵
  PID:4960
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrfrash.dat"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1988
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrfrash.dat"
  2⤵
  PID:1576
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrfrash.dat"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:464
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll"
  2⤵
  PID:3064
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:436
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll"
  2⤵
  PID:3284
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1516
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll"
  2⤵
  PID:1520
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:5112
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll"
  2⤵
  PID:2916
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1836
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationCore.dll"
  2⤵
  PID:5004
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationCore.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3304
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationCore.dll"
  2⤵
  PID:468
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationCore.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5108
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationCore.dll"
  2⤵
  PID:4624
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationCore.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:212
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationCore.dll"
  2⤵
  PID:3908
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationCore.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2340
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll"
  2⤵
  PID:5008
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1404
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll"
  2⤵
  PID:3564
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5072
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll"
  2⤵
  PID:3720
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1252
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll"
  2⤵
  PID:5056
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1616
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll"
  2⤵
  PID:3692
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll"
    3⤵
    PID:4988
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll"
  2⤵
  PID:3800
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll"
    3⤵
    - Modifies file permissions
    PID:4900
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll"
  2⤵
  PID:2376
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll"
    3⤵
    PID:1572
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll"
  2⤵
  PID:3540
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll"
    3⤵
    PID:2736
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationCore.dll"
  2⤵
  PID:2548
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationCore.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4824
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationCore.dll"
  2⤵
  PID:3948
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationCore.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3684
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationCore.dll"
  2⤵
  PID:1408
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationCore.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationCore.dll"
  2⤵
  PID:1604
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationCore.dll"
    3⤵
    - Modifies file permissions
    PID:2176
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\StreamServer.dll"
  2⤵
  PID:3048
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\StreamServer.dll"
    3⤵
    PID:4464
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\StreamServer.dll"
  2⤵
  PID:1612
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\StreamServer.dll"
    3⤵
    PID:2308
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\StreamServer.dll"
  2⤵
  PID:3316
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\StreamServer.dll"
    3⤵
    PID:1624
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\StreamServer.dll"
  2⤵
  PID:4420
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\StreamServer.dll"
    3⤵
    PID:3852
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\dicjp.bin"
  2⤵
  PID:4336
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\dicjp.bin"
    3⤵
    PID:4844
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\dicjp.bin"
  2⤵
  PID:1768
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\dicjp.bin"
    3⤵
    PID:3104
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\dicjp.bin"
  2⤵
  PID:1100
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\dicjp.bin"
    3⤵
    PID:4468
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\dicjp.bin"
  2⤵
  PID:1040
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\dicjp.bin"
    3⤵
    PID:3276
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Windows NT\Accessories\wordpad.exe"
  2⤵
  PID:3540
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:2520
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Windows NT\Accessories\wordpad.exe"
  2⤵
  PID:4824
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:2392
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Windows NT\Accessories\wordpad.exe"
  2⤵
  PID:5112
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:984
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Windows NT\Accessories\wordpad.exe"
  2⤵
  PID:8
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:1512
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dll"
  2⤵
  PID:2780
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dll"
    3⤵
    PID:4056
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dll"
  2⤵
  PID:2348
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dll"
    3⤵
    PID:4064
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dll"
  2⤵
  PID:3908
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dll"
    3⤵
    PID:3256
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dll"
  2⤵
  PID:3360
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dll"
    3⤵
    PID:980
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dll"
  2⤵
  PID:4872
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dll"
    3⤵
    PID:1752
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dll"
  2⤵
  PID:4336
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dll"
    3⤵
    - Modifies file permissions
    PID:3440
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dll"
  2⤵
  PID:3104
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dll"
    3⤵
    PID:4444
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dll"
  2⤵
  PID:1152
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dll"
    3⤵
    PID:2004
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
  2⤵
  PID:3276
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:4288
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
  2⤵
  PID:5016
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:2804
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
  2⤵
  PID:2736
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:3728
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
  2⤵
  PID:3540
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
    3⤵
    PID:760
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat"
  2⤵
  PID:4200
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat"
    3⤵
    - Modifies file permissions
    PID:3696
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat"
  2⤵
  PID:8
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat"
    3⤵
    PID:5108
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat"
  2⤵
  PID:1436
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat"
    3⤵
    PID:5004
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat"
  2⤵
  PID:4700
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat"
    3⤵
    PID:3632
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll"
  2⤵
  PID:4024
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll"
    3⤵
    PID:1624
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll"
  2⤵
  PID:2928
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll"
    3⤵
    PID:4240
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll"
  2⤵
  PID:2360
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll"
    3⤵
    PID:4872
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll"
  2⤵
  PID:1480
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll"
    3⤵
    PID:3812
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Windows Photo Viewer\ImagingEngine.dll"
  2⤵
  PID:3104
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Windows Photo Viewer\ImagingEngine.dll"
    3⤵
    - Modifies file permissions
    PID:3692
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Windows Photo Viewer\ImagingEngine.dll"
  2⤵
  PID:4468
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Windows Photo Viewer\ImagingEngine.dll"
    3⤵
    PID:1576
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Windows Photo Viewer\ImagingEngine.dll"
  2⤵
  PID:4888
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Windows Photo Viewer\ImagingEngine.dll"
    3⤵
    PID:3064
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Windows Photo Viewer\ImagingEngine.dll"
  2⤵
  PID:2540
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Windows Photo Viewer\ImagingEngine.dll"
    3⤵
    PID:2724
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrdeulm.dat"
  2⤵
  PID:232
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrdeulm.dat"
    3⤵
    PID:924
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrdeulm.dat"
  2⤵
  PID:2392
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrdeulm.dat"
    3⤵
    PID:4588
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrdeulm.dat"
  2⤵
  PID:5112
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrdeulm.dat"
    3⤵
    PID:752
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrdeulm.dat"
  2⤵
  PID:4252
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrdeulm.dat"
    3⤵
    PID:3164
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrdeslm.dat"
  2⤵
  PID:4928
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrdeslm.dat"
    3⤵
    PID:3944
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrdeslm.dat"
  2⤵
  PID:5004
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrdeslm.dat"
    3⤵
    PID:4064
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrdeslm.dat"
  2⤵
  PID:2340
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrdeslm.dat"
    3⤵
    PID:4832
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrdeslm.dat"
  2⤵
  PID:2904
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrdeslm.dat"
    3⤵
    PID:1308
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll"
  2⤵
  PID:4616
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll"
    3⤵
    PID:2964
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll"
  2⤵
  PID:3440
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll"
    3⤵
    - Modifies file permissions
    PID:4740
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll"
  2⤵
  PID:2652
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll"
    3⤵
    PID:5056
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll"
  2⤵
  PID:3800
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll"
    3⤵
    PID:848
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Windows Photo Viewer\PhotoAcq.dll"
  2⤵
  PID:4496
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Windows Photo Viewer\PhotoAcq.dll"
    3⤵
    - Modifies file permissions
    PID:1828
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Windows Photo Viewer\PhotoAcq.dll"
  2⤵
  PID:2992
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Windows Photo Viewer\PhotoAcq.dll"
    3⤵
    - Modifies file permissions
    PID:5016
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Windows Photo Viewer\PhotoAcq.dll"
  2⤵
  PID:2724
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Windows Photo Viewer\PhotoAcq.dll"
    3⤵
    PID:4160
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Windows Photo Viewer\PhotoAcq.dll"
  2⤵
  PID:4216
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Windows Photo Viewer\PhotoAcq.dll"
    3⤵
    PID:3924
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Windows Photo Viewer\ImagingEngine.dll"
  2⤵
  PID:368
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Windows Photo Viewer\ImagingEngine.dll"
    3⤵
    - Modifies file permissions
    PID:5112
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Windows Photo Viewer\ImagingEngine.dll"
  2⤵
  PID:2344
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Windows Photo Viewer\ImagingEngine.dll"
    3⤵
    PID:4252
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Windows Photo Viewer\ImagingEngine.dll"
  2⤵
  PID:3528
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Windows Photo Viewer\ImagingEngine.dll"
    3⤵
    PID:4796
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Windows Photo Viewer\ImagingEngine.dll"
  2⤵
  PID:4928
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Windows Photo Viewer\ImagingEngine.dll"
    3⤵
    PID:1572
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Windows Media Player\setup_wm.exe"
  2⤵
  PID:1716
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Windows Media Player\setup_wm.exe"
    3⤵
    PID:3908
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Windows Media Player\setup_wm.exe"
  2⤵
  PID:5008
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Windows Media Player\setup_wm.exe"
    3⤵
    PID:2544
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Windows Media Player\setup_wm.exe"
  2⤵
  PID:3952
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Windows Media Player\setup_wm.exe"
    3⤵
    - Modifies file permissions
    PID:4600
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Windows Media Player\setup_wm.exe"
  2⤵
  PID:4172
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Windows Media Player\setup_wm.exe"
    3⤵
    PID:556
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll"
  2⤵
  PID:964
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll"
    3⤵
    PID:2004
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll"
  2⤵
  PID:3692
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll"
    3⤵
    PID:3000
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll"
  2⤵
  PID:1360
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll"
    3⤵
    PID:1064
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll"
  2⤵
  PID:3896
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll"
    3⤵
    PID:1132
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Windows Media Player\setup_wm.exe"
  2⤵
  PID:4560
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Windows Media Player\setup_wm.exe"
    3⤵
    PID:868
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Windows Media Player\setup_wm.exe"
  2⤵
  PID:2776
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Windows Media Player\setup_wm.exe"
    3⤵
    PID:3948
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Windows Media Player\setup_wm.exe"
  2⤵
  PID:3296
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Windows Media Player\setup_wm.exe"
    3⤵
    PID:1836
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Windows Media Player\setup_wm.exe"
  2⤵
  PID:4588
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Windows Media Player\setup_wm.exe"
    3⤵
    PID:1728
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll"
  2⤵
  PID:3848
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll"
    3⤵
    PID:2280
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll"
  2⤵
  PID:4464
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll"
    3⤵
    - Modifies file permissions
    PID:212
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll"
  2⤵
  PID:932
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll"
    3⤵
    PID:4536
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll"
  2⤵
  PID:1612
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll"
    3⤵
    PID:4832
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\micaut.dll"
  2⤵
  PID:5020
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\micaut.dll"
    3⤵
    PID:5008
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\micaut.dll"
  2⤵
  PID:2136
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\micaut.dll"
    3⤵
    PID:3952
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\micaut.dll"
  2⤵
  PID:4524
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\micaut.dll"
    3⤵
    PID:4872
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\micaut.dll"
  2⤵
  PID:2292
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\micaut.dll"
    3⤵
    PID:4260
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Windows Photo Viewer\PhotoAcq.dll"
  2⤵
  PID:4836
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Windows Photo Viewer\PhotoAcq.dll"
    3⤵
    PID:3276
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Windows Photo Viewer\PhotoAcq.dll"
  2⤵
  PID:2304
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Windows Photo Viewer\PhotoAcq.dll"
    3⤵
    PID:4416
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Windows Photo Viewer\PhotoAcq.dll"
  2⤵
  PID:5092
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Windows Photo Viewer\PhotoAcq.dll"
    3⤵
    PID:2736
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Windows Photo Viewer\PhotoAcq.dll"
  2⤵
  PID:1620
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Windows Photo Viewer\PhotoAcq.dll"
    3⤵
    PID:2520
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.ComponentModel.dll"
  2⤵
  PID:3188
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.ComponentModel.dll"
    3⤵
    PID:232
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.ComponentModel.dll"
  2⤵
  PID:4500
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.ComponentModel.dll"
    3⤵
    PID:2392
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.ComponentModel.dll"
  2⤵
  PID:5112
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.ComponentModel.dll"
    3⤵
    PID:4760
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.ComponentModel.dll"
  2⤵
  PID:2464
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.ComponentModel.dll"
    3⤵
    - Modifies file permissions
    PID:3164
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll"
  2⤵
  PID:2152
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll"
    3⤵
    PID:1436
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll"
  2⤵
  PID:3064
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll"
    3⤵
    PID:4800
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll"
  2⤵
  PID:2308
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll"
    3⤵
    PID:560
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll"
  2⤵
  PID:4228
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll"
    3⤵
    PID:2904
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mip.exe"
  2⤵
  PID:4844
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mip.exe"
    3⤵
    PID:5072
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mip.exe"
  2⤵
  PID:748
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mip.exe"
    3⤵
    PID:2936
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mip.exe"
  2⤵
  PID:1036
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mip.exe"
    3⤵
    PID:1292
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mip.exe"
  2⤵
  PID:4144
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mip.exe"
    3⤵
    PID:2652
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Windows Photo Viewer\PhotoViewer.dll"
  2⤵
  PID:5056
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Windows Photo Viewer\PhotoViewer.dll"
    3⤵
    PID:3276
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Windows Photo Viewer\PhotoViewer.dll"
  2⤵
  PID:4704
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Windows Photo Viewer\PhotoViewer.dll"
    3⤵
    PID:2304
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Windows Photo Viewer\PhotoViewer.dll"
  2⤵
  PID:4788
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Windows Photo Viewer\PhotoViewer.dll"
    3⤵
    - Modifies file permissions
    PID:2736
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Windows Photo Viewer\PhotoViewer.dll"
  2⤵
  PID:2916
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Windows Photo Viewer\PhotoViewer.dll"
    3⤵
    PID:1620
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.ComponentModel.dll"
  2⤵
  PID:3212
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.ComponentModel.dll"
    3⤵
    PID:1224
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.ComponentModel.dll"
  2⤵
  PID:3252
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.ComponentModel.dll"
    3⤵
    PID:752
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.ComponentModel.dll"
  2⤵
  PID:1284
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.ComponentModel.dll"
    3⤵
    PID:5112
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.ComponentModel.dll"
  2⤵
  PID:8
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.ComponentModel.dll"
    3⤵
    PID:2160
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\InkObj.dll"
  2⤵
  PID:4572
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\InkObj.dll"
    3⤵
    PID:4540
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\InkObj.dll"
  2⤵
  PID:1104
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\InkObj.dll"
    3⤵
    PID:1624
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\InkObj.dll"
  2⤵
  PID:3944
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\InkObj.dll"
    3⤵
    - Modifies file permissions
    PID:4576
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\InkObj.dll"
  2⤵
  PID:4316
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\InkObj.dll"
    3⤵
    PID:4516
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrdeusymnn.dat"
  2⤵
  PID:2872
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrdeusymnn.dat"
    3⤵
    - Modifies file permissions
    PID:4600
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrdeusymnn.dat"
  2⤵
  PID:4844
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrdeusymnn.dat"
    3⤵
    PID:2248
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrdeusymnn.dat"
  2⤵
  PID:2716
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrdeusymnn.dat"
    3⤵
    PID:3028
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrdeusymnn.dat"
  2⤵
  PID:2672
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrdeusymnn.dat"
    3⤵
    PID:4388
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mshwLatin.dll"
  2⤵
  PID:3000
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mshwLatin.dll"
    3⤵
    PID:4904
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mshwLatin.dll"
  2⤵
  PID:5056
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mshwLatin.dll"
    3⤵
    - Modifies file permissions
    PID:1664
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mshwLatin.dll"
  2⤵
  PID:1884
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mshwLatin.dll"
    3⤵
    - Modifies file permissions
    PID:2804
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mshwLatin.dll"
  2⤵
  PID:3896
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mshwLatin.dll"
    3⤵
    PID:2520
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\micaut.dll"
  2⤵
  PID:3188
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\micaut.dll"
    3⤵
    PID:4208
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\micaut.dll"
  2⤵
  PID:3616
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\micaut.dll"
    3⤵
    PID:3252
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\micaut.dll"
  2⤵
  PID:4868
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\micaut.dll"
    3⤵
    PID:1284
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\micaut.dll"
  2⤵
  PID:2464
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\micaut.dll"
    3⤵
    PID:4252
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll"
  2⤵
  PID:3064
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll"
    3⤵
    PID:2928
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll"
  2⤵
  PID:1592
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll"
    3⤵
    PID:1308
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll"
  2⤵
  PID:4612
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll"
    3⤵
    PID:4044
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll"
  2⤵
  PID:3764
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll"
    3⤵
    PID:1252
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll"
  2⤵
  PID:1600
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll"
    3⤵
    PID:1344
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll"
  2⤵
  PID:1988
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll"
    3⤵
    PID:4896
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll"
  2⤵
  PID:4908
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll"
    3⤵
    PID:696
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll"
  2⤵
  PID:3800
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll"
    3⤵
    PID:2312
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll"
  2⤵
  PID:2056
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll"
    3⤵
    PID:4560
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll"
  2⤵
  PID:5060
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll"
    3⤵
    PID:2916
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll"
  2⤵
  PID:1940
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll"
    3⤵
    PID:3924
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll"
  2⤵
  PID:348
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll"
    3⤵
    PID:3684
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\System\ado\msado15.dll"
  2⤵
  PID:4972
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\System\ado\msado15.dll"
    3⤵
    - Modifies file permissions
    PID:5064
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\System\ado\msado15.dll"
  2⤵
  PID:2160
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\System\ado\msado15.dll"
    3⤵
    PID:4556
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\System\ado\msado15.dll"
  2⤵
  PID:4464
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\System\ado\msado15.dll"
    3⤵
    PID:1436
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\System\ado\msado15.dll"
  2⤵
  PID:4004
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\System\ado\msado15.dll"
    3⤵
    PID:1104
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Windows NT\TableTextService\TableTextServiceArray.txt"
  2⤵
  PID:2340
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Windows NT\TableTextService\TableTextServiceArray.txt"
    3⤵
    PID:2308
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Windows NT\TableTextService\TableTextServiceArray.txt"
  2⤵
  PID:1860
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Windows NT\TableTextService\TableTextServiceArray.txt"
    3⤵
    PID:4404
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceArray.txt"
  2⤵
  PID:4420
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceArray.txt"
    3⤵
    PID:3444
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceArray.txt"
  2⤵
  PID:1400
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceArray.txt"
    3⤵
    PID:1480
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceArray.txt"
  2⤵
  PID:2072
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceArray.txt"
    3⤵
    PID:3440
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceArray.txt"
  2⤵
  PID:1100
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceArray.txt"
    3⤵
    PID:4512
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Windows NT\TableTextService\TableTextServiceArray.txt"
  2⤵
  PID:1600
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Windows NT\TableTextService\TableTextServiceArray.txt"
    3⤵
    PID:1576
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Windows NT\TableTextService\TableTextServiceArray.txt"
  2⤵
  PID:4836
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Windows NT\TableTextService\TableTextServiceArray.txt"
    3⤵
    PID:4904
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll"
  2⤵
  PID:968
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll"
    3⤵
    PID:3800
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll"
  2⤵
  PID:644
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll"
    3⤵
    PID:2668
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll"
  2⤵
  PID:2724
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll"
    3⤵
    PID:2520
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll"
  2⤵
  PID:3948
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll"
    3⤵
    PID:5032
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll"
  2⤵
  PID:3540
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll"
    3⤵
    PID:3616
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll"
  2⤵
  PID:1408
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll"
    3⤵
    PID:5064
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll"
  2⤵
  PID:1476
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll"
    3⤵
    PID:2176
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll"
  2⤵
  PID:1944
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll"
    3⤵
    PID:3584
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\imjplm.dll"
  2⤵
  PID:980
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\imjplm.dll"
    3⤵
    PID:1716
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\imjplm.dll"
  2⤵
  PID:3360
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\imjplm.dll"
    3⤵
    PID:4404
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\imjplm.dll"
  2⤵
  PID:2872
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\imjplm.dll"
    3⤵
    PID:4420
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\imjplm.dll"
  2⤵
  PID:3812
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\imjplm.dll"
    3⤵
    PID:3564
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\imjplm.dll"
  2⤵
  PID:4616
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\imjplm.dll"
    3⤵
    PID:4960
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\imjplm.dll"
  2⤵
  PID:4120
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\imjplm.dll"
    3⤵
    PID:4504
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\imjplm.dll"
  2⤵
  PID:1064
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\imjplm.dll"
    3⤵
    PID:2304
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\imjplm.dll"
  2⤵
  PID:4908
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\imjplm.dll"
    3⤵
    PID:1828
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\tipskins.dll"
  2⤵
  PID:2164
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\tipskins.dll"
    3⤵
    PID:1392
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\tipskins.dll"
  2⤵
  PID:2056
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\tipskins.dll"
    3⤵
    PID:2668
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\tipskins.dll"
  2⤵
  PID:1520
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\tipskins.dll"
    3⤵
    PID:2724
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\tipskins.dll"
  2⤵
  PID:2392
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\tipskins.dll"
    3⤵
    PID:4784
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll"
  2⤵
  PID:4140
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll"
    3⤵
    PID:4972
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll"
  2⤵
  PID:1284
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll"
    3⤵
    PID:4556
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll"
  2⤵
  PID:3696
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll"
    3⤵
    PID:4800
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll"
  2⤵
  PID:3708
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll"
    3⤵
    PID:1104
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll"
  2⤵
  PID:2780
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll"
    3⤵
    PID:1692
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll"
  2⤵
  PID:1308
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll"
    3⤵
    PID:560
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll"
  2⤵
  PID:4208
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll"
    3⤵
    PID:3784
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll"
  2⤵
  PID:3036
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll"
    3⤵
    PID:4600
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\System\ado\msado15.dll"
  2⤵
  PID:1036
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\System\ado\msado15.dll"
    3⤵
    PID:928
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\System\ado\msado15.dll"
  2⤵
  PID:464
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\System\ado\msado15.dll"
    3⤵
    PID:4120
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\System\ado\msado15.dll"
  2⤵
  PID:4416
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\System\ado\msado15.dll"
    3⤵
    PID:3000
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\System\ado\msado15.dll"
  2⤵
  PID:2376
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\System\ado\msado15.dll"
    3⤵
    - Modifies file permissions
    PID:4888
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll"
  2⤵
  PID:2312
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll"
    3⤵
    PID:1632
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll"
  2⤵
  PID:2668
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll"
    3⤵
    - Modifies file permissions
    PID:232
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll"
  2⤵
  PID:4788
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll"
    3⤵
    PID:4824
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll"
  2⤵
  PID:4160
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll"
    3⤵
    PID:4500
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mshwLatin.dll"
  2⤵
  PID:3540
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mshwLatin.dll"
    3⤵
    - Modifies file permissions
    PID:5112
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mshwLatin.dll"
  2⤵
  PID:3048
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mshwLatin.dll"
    3⤵
    PID:4984
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mshwLatin.dll"
  2⤵
  PID:8
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mshwLatin.dll"
    3⤵
    PID:2116
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mshwLatin.dll"
  2⤵
  PID:1944
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mshwLatin.dll"
    3⤵
    PID:4624
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll"
  2⤵
  PID:1572
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll"
    3⤵
    PID:2928
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll"
  2⤵
  PID:2544
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll"
    3⤵
    - Modifies file permissions
    PID:2324
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll"
  2⤵
  PID:5020
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll"
    3⤵
    PID:4404
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll"
  2⤵
  PID:4844
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll"
    3⤵
    PID:2360
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db
  2⤵
  PID:3440
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db
    3⤵
    PID:2292
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db
  2⤵
  PID:2424
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db
    3⤵
    - Modifies file permissions
    PID:4896
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin
  2⤵
  PID:1600
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin
    3⤵
    PID:5056
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin
  2⤵
  PID:5016
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin
    3⤵
    PID:2540
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin
  2⤵
  PID:2804
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin
    3⤵
    - Modifies file permissions
    PID:4376
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db
  2⤵
  PID:3856
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db
    3⤵
    PID:3296
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db
  2⤵
  PID:2776
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\L.Admin\ActivitiesCache.db
    3⤵
    PID:4276
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin
  2⤵
  PID:4216
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.bin
    3⤵
    PID:3540
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll"
  2⤵
  PID:4556
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll"
    3⤵
    - Modifies file permissions
    PID:2176
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll"
  2⤵
  PID:2152
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll"
    3⤵
    PID:1596
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll"
  2⤵
  PID:1944
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll"
    3⤵
    PID:2216
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll"
  2⤵
  PID:4036
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll"
    3⤵
    PID:3064
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrenUSlm.dat"
  2⤵
  PID:4280
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrenUSlm.dat"
    3⤵
    PID:3564
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrenUSlm.dat"
  2⤵
  PID:4612
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrenUSlm.dat"
    3⤵
    PID:1292
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrenUSlm.dat"
  2⤵
  PID:1752
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrenUSlm.dat"
    3⤵
    PID:4616
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrenUSlm.dat"
  2⤵
  PID:4288
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\hwrenUSlm.dat"
    3⤵
    PID:3276
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Windows NT\TableTextService\TableTextServiceDaYi.txt"
  2⤵
  PID:4596
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Windows NT\TableTextService\TableTextServiceDaYi.txt"
    3⤵
    PID:968
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Windows NT\TableTextService\TableTextServiceDaYi.txt"
  2⤵
  PID:644
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Windows NT\TableTextService\TableTextServiceDaYi.txt"
    3⤵
    PID:964
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Windows NT\TableTextService\TableTextServiceDaYi.txt"
  2⤵
  PID:1620
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Windows NT\TableTextService\TableTextServiceDaYi.txt"
    3⤵
    PID:2520
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceDaYi.txt"
  2⤵
  PID:1224
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceDaYi.txt"
    3⤵
    PID:868
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Windows NT\TableTextService\TableTextServiceDaYi.txt"
  2⤵
  PID:4824
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Windows NT\TableTextService\TableTextServiceDaYi.txt"
    3⤵
    PID:3848
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceDaYi.txt"
  2⤵
  PID:4972
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceDaYi.txt"
    3⤵
    PID:4200
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceDaYi.txt"
  2⤵
  PID:3164
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceDaYi.txt"
    3⤵
    PID:8
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceDaYi.txt"
  2⤵
  PID:4056
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceDaYi.txt"
    3⤵
    - Modifies file permissions
    PID:4092
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll"
  2⤵
  PID:2172
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll"
    3⤵
    PID:3256
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll"
  2⤵
  PID:3744
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll"
    3⤵
    PID:4228
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll"
  2⤵
  PID:5008
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll"
    3⤵
    PID:4208
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll"
  2⤵
  PID:1528
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll"
    3⤵
    PID:3564
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Runtime.Serialization.dll"
  2⤵
  PID:1480
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Runtime.Serialization.dll"
    3⤵
    PID:2360
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Runtime.Serialization.dll"
  2⤵
  PID:4960
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Runtime.Serialization.dll"
    3⤵
    PID:4444
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Runtime.Serialization.dll"
  2⤵
  PID:1036
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Runtime.Serialization.dll"
    3⤵
    PID:1100
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Runtime.Serialization.dll"
  2⤵
  PID:848
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Runtime.Serialization.dll"
    3⤵
    PID:4888
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\System\wab32res.dll"
  2⤵
  PID:1392
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\System\wab32res.dll"
    3⤵
    PID:968
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\System\wab32res.dll"
  2⤵
  PID:3284
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\System\wab32res.dll"
    3⤵
    PID:964
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\System\wab32res.dll"
  2⤵
  PID:752
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\System\wab32res.dll"
    3⤵
    PID:4496
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\System\wab32res.dll"
  2⤵
  PID:1520
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\System\wab32res.dll"
    3⤵
    PID:2056
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\System\wab32res.dll"
  2⤵
  PID:2724
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\System\wab32res.dll"
    3⤵
    PID:1836
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\System\wab32res.dll"
  2⤵
  PID:3540
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\System\wab32res.dll"
    3⤵
    - Modifies file permissions
    PID:4760
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\System\wab32res.dll"
  2⤵
  PID:1408
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\System\wab32res.dll"
    3⤵
    PID:1436
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\System\wab32res.dll"
  2⤵
  PID:212
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\System\wab32res.dll"
    3⤵
    PID:3584
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll"
  2⤵
  PID:1596
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll"
    3⤵
    PID:1692
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll"
  2⤵
  PID:2928
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll"
    3⤵
    PID:4240
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll"
  2⤵
  PID:1860
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll"
    3⤵
    PID:4832
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll"
  2⤵
  PID:4600
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll"
    3⤵
    PID:3316
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Windows Media Player\wmpnetwk.exe"
  2⤵
  PID:4612
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Windows Media Player\wmpnetwk.exe"
    3⤵
    PID:2360
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Windows Media Player\wmpnetwk.exe"
  2⤵
  PID:928
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Windows Media Player\wmpnetwk.exe"
    3⤵
    PID:4616
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Windows Media Player\wmpnetwk.exe"
  2⤵
  PID:3276
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Windows Media Player\wmpnetwk.exe"
    3⤵
    - Modifies file permissions
    PID:1100
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Windows Media Player\wmpnetwk.exe"
  2⤵
  PID:1828
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Windows Media Player\wmpnetwk.exe"
    3⤵
    PID:4888
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\System\Ole DB\oledb32.dll"
  2⤵
  PID:1280
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\System\Ole DB\oledb32.dll"
    3⤵
    PID:4948
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\System\Ole DB\oledb32.dll"
  2⤵
  PID:2032
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\System\Ole DB\oledb32.dll"
    3⤵
    PID:3800
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\System\Ole DB\oledb32.dll"
  2⤵
  PID:1016
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\System\Ole DB\oledb32.dll"
    3⤵
    PID:3212
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\System\Ole DB\oledb32.dll"
  2⤵
  PID:1224
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\System\Ole DB\oledb32.dll"
    3⤵
    PID:3124
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\System\wab32.dll"
  2⤵
  PID:4216
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\System\wab32.dll"
    3⤵
    PID:4972
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\System\wab32.dll"
  2⤵
  PID:2036
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\System\wab32.dll"
    3⤵
    - Modifies file permissions
    PID:1408
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\System\wab32.dll"
  2⤵
  PID:3200
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\System\wab32.dll"
    3⤵
    PID:212
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\System\wab32.dll"
  2⤵
  PID:4576
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\System\wab32.dll"
    3⤵
    PID:2780
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\System\Ole DB\sqloledb.dll"
  2⤵
  PID:2216
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\System\Ole DB\sqloledb.dll"
    3⤵
    PID:3632
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\System\Ole DB\sqloledb.dll"
  2⤵
  PID:2240
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\System\Ole DB\sqloledb.dll"
    3⤵
    PID:3944
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\System\Ole DB\sqloledb.dll"
  2⤵
  PID:2448
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\System\Ole DB\sqloledb.dll"
    3⤵
    PID:4600
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\System\Ole DB\sqloledb.dll"
  2⤵
  PID:4260
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\System\Ole DB\sqloledb.dll"
    3⤵
    PID:3440
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Runtime.Serialization.dll"
  2⤵
  PID:5092
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Runtime.Serialization.dll"
    3⤵
    PID:4752
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Runtime.Serialization.dll"
  2⤵
  PID:1152
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Runtime.Serialization.dll"
    3⤵
    PID:4828
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Runtime.Serialization.dll"
  2⤵
  PID:5056
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Runtime.Serialization.dll"
    3⤵
    PID:1720
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Runtime.Serialization.dll"
  2⤵
  PID:760
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Runtime.Serialization.dll"
    3⤵
    PID:3064
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  PID:1520
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:2056
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  PID:4784
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:1836
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  PID:2160
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:4972
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  PID:1604
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:2116
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll"
  2⤵
  PID:212
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll"
    3⤵
    PID:1692
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll"
  2⤵
  PID:2152
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll"
    3⤵
    PID:3852
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll"
  2⤵
  PID:3740
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll"
    3⤵
    PID:2872
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll"
  2⤵
  PID:3360
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll"
    3⤵
    - Modifies file permissions
    PID:3316
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\System\Ole DB\oledb32.dll"
  2⤵
  PID:5112
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\System\Ole DB\oledb32.dll"
    3⤵
    PID:1752
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\System\Ole DB\oledb32.dll"
  2⤵
  PID:1992
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\System\Ole DB\oledb32.dll"
    3⤵
    PID:1988
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\System\Ole DB\oledb32.dll"
  2⤵
  PID:2424
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\System\Ole DB\oledb32.dll"
    3⤵
    PID:1100
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\System\Ole DB\oledb32.dll"
  2⤵
  PID:1064
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\System\Ole DB\oledb32.dll"
    3⤵
    PID:2096
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml"
  2⤵
  PID:4908
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml"
    3⤵
    PID:5056
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml"
  2⤵
  PID:1716
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml"
    3⤵
    PID:3212
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml"
  2⤵
  PID:2548
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml"
    3⤵
    PID:3124
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml"
  2⤵
  PID:4964
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml"
    3⤵
    PID:3684
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\System\Ole DB\sqloledb.dll"
  2⤵
  PID:2428
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\System\Ole DB\sqloledb.dll"
    3⤵
    PID:4984
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\System\Ole DB\sqloledb.dll"
  2⤵
  PID:2344
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\System\Ole DB\sqloledb.dll"
    3⤵
    PID:3304
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\System\Ole DB\sqloledb.dll"
  2⤵
  PID:4024
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\System\Ole DB\sqloledb.dll"
    3⤵
    PID:560
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\System\Ole DB\sqloledb.dll"
  2⤵
  PID:4516
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\System\Ole DB\sqloledb.dll"
    3⤵
    PID:2136
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\System\wab32.dll"
  2⤵
  PID:3316
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\System\wab32.dll"
    3⤵
    PID:1480
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\System\wab32.dll"
  2⤵
  PID:628
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\System\wab32.dll"
    3⤵
    PID:2652
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\System\wab32.dll"
  2⤵
  PID:4144
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\System\wab32.dll"
    3⤵
    PID:464
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\System\wab32.dll"
  2⤵
  PID:1576
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\System\wab32.dll"
    3⤵
    - Modifies file permissions
    PID:1360
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe"
  2⤵
  PID:3284
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe"
    3⤵
    PID:5056
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe"
  2⤵
  PID:1116
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe"
    3⤵
    PID:3212
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe"
  2⤵
  PID:4704
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe"
    3⤵
    PID:3920
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe"
  2⤵
  PID:1520
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe"
    3⤵
    PID:3684
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Engine.dll"
  2⤵
  PID:4200
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Engine.dll"
    3⤵
    PID:436
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Engine.dll"
  2⤵
  PID:1476
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Engine.dll"
    3⤵
    - Modifies file permissions
    PID:1624
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Engine.dll"
  2⤵
  PID:3528
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Engine.dll"
    3⤵
    PID:932
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Engine.dll"
  2⤵
  PID:3232
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Engine.dll"
    3⤵
    PID:1404
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\System\Ole DB\msdasql.dll"
  2⤵
  PID:2872
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\System\Ole DB\msdasql.dll"
    3⤵
    PID:1252
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\System\Ole DB\msdasql.dll"
  2⤵
  PID:4280
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\System\Ole DB\msdasql.dll"
    3⤵
    PID:5008
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\System\Ole DB\msdasql.dll"
  2⤵
  PID:2916
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\System\Ole DB\msdasql.dll"
    3⤵
    PID:2716
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\System\Ole DB\msdasql.dll"
  2⤵
  PID:4880
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\System\Ole DB\msdasql.dll"
    3⤵
    PID:4628
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\System\msadc\msadce.dll"
  2⤵
  PID:2020
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\System\msadc\msadce.dll"
    3⤵
    PID:1828
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\System\msadc\msadce.dll"
  2⤵
  PID:1152
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\System\msadc\msadce.dll"
    3⤵
    PID:5056
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\System\msadc\msadce.dll"
  2⤵
  PID:4376
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\System\msadc\msadce.dll"
    3⤵
    PID:2648
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\System\msadc\msadce.dll"
  2⤵
  PID:3924
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\System\msadc\msadce.dll"
    3⤵
    PID:1520
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll"
  2⤵
  PID:3256
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll"
    3⤵
    PID:1476
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll"
  2⤵
  PID:3988
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll"
    3⤵
    PID:2324
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll"
  2⤵
  PID:4928
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll"
    3⤵
    PID:3740
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll"
  2⤵
  PID:4700
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll"
    3⤵
    PID:3360
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll"
  2⤵
  PID:3600
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll"
    3⤵
    PID:2248
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll"
  2⤵
  PID:3316
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll"
    3⤵
    PID:4504
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll"
  2⤵
  PID:464
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll"
    3⤵
    PID:4880
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll"
  2⤵
  PID:1988
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll"
    3⤵
    PID:1392
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Speech.dll"
  2⤵
  PID:1632
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Speech.dll"
    3⤵
    PID:1720
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Speech.dll"
  2⤵
  PID:3420
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Speech.dll"
    3⤵
    PID:3920
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Speech.dll"
  2⤵
  PID:3856
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Speech.dll"
    3⤵
    PID:1940
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Speech.dll"
  2⤵
  PID:4432
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Speech.dll"
    3⤵
    PID:3692
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Speech.dll"
  2⤵
  PID:4588
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Speech.dll"
    3⤵
    PID:5108
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Speech.dll"
  2⤵
  PID:3224
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Speech.dll"
    3⤵
    PID:4200
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Speech.dll"
  2⤵
  PID:1604
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Speech.dll"
    3⤵
    PID:2428
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Speech.dll"
  2⤵
  PID:4064
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Speech.dll"
    3⤵
    PID:1572
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll"
  2⤵
  PID:4024
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll"
    3⤵
    PID:2872
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll"
  2⤵
  PID:3564
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll"
    3⤵
    PID:3944
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll"
  2⤵
  PID:2448
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll"
    3⤵
    PID:1616
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll"
  2⤵
  PID:4124
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll"
    3⤵
    PID:4960
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mshwjpn.dll"
  2⤵
  PID:1344
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mshwjpn.dll"
    3⤵
    PID:1224
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mshwjpn.dll"
  2⤵
  PID:1988
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mshwjpn.dll"
    3⤵
    PID:2020
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mshwjpn.dll"
  2⤵
  PID:3212
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mshwjpn.dll"
    3⤵
    PID:1152
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mshwjpn.dll"
  2⤵
  PID:2648
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\mshwjpn.dll"
    3⤵
    PID:4140
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll"
  2⤵
  PID:3176
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll"
    3⤵
    PID:4092
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll"
  2⤵
  PID:4828
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll"
    3⤵
    PID:2116
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll"
  2⤵
  PID:4572
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll"
    3⤵
    PID:1624
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll"
  2⤵
  PID:1476
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll"
    3⤵
    PID:1944
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll"
  2⤵
  PID:1592
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll"
    3⤵
    PID:3444
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll"
  2⤵
  PID:2724
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll"
    3⤵
    PID:3708
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll"
  2⤵
  PID:4576
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll"
    3⤵
    PID:3952
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll"
  2⤵
  PID:3744
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll"
    3⤵
    PID:3424
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll"
  2⤵
  PID:1992
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll"
    3⤵
    PID:2916
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll"
  2⤵
  PID:4844
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll"
    3⤵
    PID:4616
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll"
  2⤵
  PID:2716
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll"
    3⤵
    PID:2304
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll"
  2⤵
  PID:3440
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll"
    3⤵
    PID:2692
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll"
  2⤵
  PID:924
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll"
    3⤵
    PID:4908
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll"
  2⤵
  PID:2736
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll"
    3⤵
    PID:5092
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll"
  2⤵
  PID:3620
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll"
    3⤵
    PID:3000
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll"
  2⤵
  PID:868
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll"
    3⤵
    PID:2160
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll"
  2⤵
  PID:1364
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll"
    3⤵
    PID:5032
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll"
  2⤵
  PID:4200
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll"
    3⤵
    PID:980
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll"
  2⤵
  PID:2280
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll"
    3⤵
    PID:4464
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll"
  2⤵
  PID:1596
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll"
    3⤵
    PID:4496
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Windows NT\TableTextService\TableTextService.dll"
  2⤵
  PID:3740
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Windows NT\TableTextService\TableTextService.dll"
    3⤵
    PID:4576
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Windows NT\TableTextService\TableTextService.dll"
  2⤵
  PID:4832
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Windows NT\TableTextService\TableTextService.dll"
    3⤵
    PID:1860
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Windows NT\TableTextService\TableTextService.dll"
  2⤵
  PID:4336
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Windows NT\TableTextService\TableTextService.dll"
    3⤵
    PID:1616
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Windows NT\TableTextService\TableTextService.dll"
  2⤵
  PID:2916
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Windows NT\TableTextService\TableTextService.dll"
    3⤵
    PID:1040
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll"
  2⤵
  PID:1224
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll"
    3⤵
    - Modifies file permissions
    PID:3880
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll"
  2⤵
  PID:4420
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll"
    3⤵
    PID:1728
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll"
  2⤵
  PID:2964
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll"
    3⤵
    PID:1632
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll"
  2⤵
  PID:1516
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll"
    3⤵
    PID:4400
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Engine.dll"
  2⤵
  PID:2320
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Engine.dll"
    3⤵
    PID:3540
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Engine.dll"
  2⤵
  PID:1956
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Engine.dll"
    3⤵
    PID:744
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Engine.dll"
  2⤵
  PID:4796
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Engine.dll"
    3⤵
    PID:4624
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Engine.dll"
  2⤵
  PID:980
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Engine.dll"
    3⤵
    PID:560
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db
  2⤵
  PID:2904
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db
    3⤵
    PID:2776
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db
  2⤵
  PID:232
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db
    3⤵
    PID:1384
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db
  2⤵
  PID:3284
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db
    3⤵
    PID:4552
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db
  2⤵
  PID:1824
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db
    3⤵
    PID:3424
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll"
  2⤵
  PID:1616
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll"
    3⤵
    PID:4124
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll"
  2⤵
  PID:1992
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll"
    3⤵
    PID:2004
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll"
  2⤵
  PID:1576
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll"
    3⤵
    PID:4888
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll"
  2⤵
  PID:3728
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll"
    3⤵
    PID:1344
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\System\Ole DB\msdasql.dll"
  2⤵
  PID:1360
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\System\Ole DB\msdasql.dll"
    3⤵
    PID:924
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\System\Ole DB\msdasql.dll"
  2⤵
  PID:4908
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\System\Ole DB\msdasql.dll"
    3⤵
    PID:3848
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\System\Ole DB\msdasql.dll"
  2⤵
  PID:4376
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\System\Ole DB\msdasql.dll"
    3⤵
    PID:1940
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\System\Ole DB\msdasql.dll"
  2⤵
  PID:1436
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\System\Ole DB\msdasql.dll"
    3⤵
    PID:4760
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\ProgramData\Microsoft\Windows\ClipSVC\tokens.dat
  2⤵
  PID:5032
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\ProgramData\Microsoft\Windows\ClipSVC\tokens.dat
    3⤵
    PID:1608
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\ProgramData\Microsoft\Windows\ClipSVC\tokens.dat
  2⤵
  PID:3200
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\ProgramData\Microsoft\Windows\ClipSVC\tokens.dat
    3⤵
    PID:2428
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\ProgramData\Microsoft\Windows\ClipSVC\tokens.dat
  2⤵
  PID:984
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\ProgramData\Microsoft\Windows\ClipSVC\tokens.dat
    3⤵
    PID:1596
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\ProgramData\Microsoft\Windows\ClipSVC\tokens.dat
  2⤵
  PID:2804
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\ProgramData\Microsoft\Windows\ClipSVC\tokens.dat
    3⤵
    PID:4824
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Windows NT\TableTextService\TableTextService.dll"
  2⤵
  PID:4156
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Windows NT\TableTextService\TableTextService.dll"
    3⤵
    PID:4516
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Windows NT\TableTextService\TableTextService.dll"
  2⤵
  PID:1824
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Windows NT\TableTextService\TableTextService.dll"
    3⤵
    PID:4740
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Windows NT\TableTextService\TableTextService.dll"
  2⤵
  PID:3316
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Windows NT\TableTextService\TableTextService.dll"
    3⤵
    PID:488
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Windows NT\TableTextService\TableTextService.dll"
  2⤵
  PID:1768
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Windows NT\TableTextService\TableTextService.dll"
    3⤵
    PID:968
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll"
  2⤵
  PID:2004
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll"
    3⤵
    PID:1400
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll"
  2⤵
  PID:2304
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll"
    3⤵
    - Modifies file permissions
    PID:2540
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll"
  2⤵
  PID:4044
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll"
    3⤵
    PID:4596
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll"
  2⤵
  PID:1132
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll"
    3⤵
    PID:2668
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\dao360.dll"
  2⤵
  PID:4908
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\dao360.dll"
    3⤵
    PID:3684
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\dao360.dll"
  2⤵
  PID:1940
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\dao360.dll"
    3⤵
    PID:2180
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\dao360.dll"
  2⤵
  PID:4432
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\dao360.dll"
    3⤵
    - Modifies file permissions
    PID:744
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\dao360.dll"
  2⤵
  PID:1624
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\dao360.dll"
    3⤵
    PID:3868
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\System\msadc\msadce.dll"
  2⤵
  PID:4464
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\System\msadc\msadce.dll"
    3⤵
    PID:3528
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\System\msadc\msadce.dll"
  2⤵
  PID:1692
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\System\msadc\msadce.dll"
    3⤵
    PID:984
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\System\msadc\msadce.dll"
  2⤵
  PID:212
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\System\msadc\msadce.dll"
    3⤵
    - Modifies file permissions
    PID:2804
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\System\msadc\msadce.dll"
  2⤵
  PID:4576
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\System\msadc\msadce.dll"
    3⤵
    PID:5020
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll"
  2⤵
  PID:2060
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll"
    3⤵
    PID:1824
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll"
  2⤵
  PID:4124
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll"
    3⤵
    PID:3316
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll"
  2⤵
  PID:4504
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll"
    3⤵
    PID:1992
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll"
  2⤵
  PID:3880
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll"
    3⤵
    PID:556
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll"
  2⤵
  PID:1376
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll"
    3⤵
    PID:1152
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll"
  2⤵
  PID:2216
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll"
    3⤵
    PID:4596
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll"
  2⤵
  PID:1412
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll"
    3⤵
    PID:4880
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll"
  2⤵
  PID:2548
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll"
    3⤵
    PID:2936
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin
  2⤵
  PID:4376
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin
    3⤵
    PID:744
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin
  2⤵
  PID:760
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin
    3⤵
    PID:3632
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin
  2⤵
  PID:4572
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin
    3⤵
    - Modifies file permissions
    PID:1592
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin
  2⤵
  PID:2776
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin
    3⤵
    PID:3048
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.ServiceModel.Web.dll"
  2⤵
  PID:2240
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.ServiceModel.Web.dll"
    3⤵
    PID:2168
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.ServiceModel.Web.dll"
  2⤵
  PID:4220
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.ServiceModel.Web.dll"
    3⤵
    PID:2344
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.ServiceModel.Web.dll"
  2⤵
  PID:4576
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.ServiceModel.Web.dll"
    3⤵
    PID:2248
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.ServiceModel.Web.dll"
  2⤵
  PID:2060
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.ServiceModel.Web.dll"
    3⤵
    PID:3316
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\ProgramData\Microsoft\Storage Health\StorageHealthModel.dat"
  2⤵
  PID:4844
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\ProgramData\Microsoft\Storage Health\StorageHealthModel.dat"
    3⤵
    PID:3236
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\ProgramData\Microsoft\Storage Health\StorageHealthModel.dat"
  2⤵
  PID:1308
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\ProgramData\Microsoft\Storage Health\StorageHealthModel.dat"
    3⤵
    PID:2692
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\ProgramData\Microsoft\Storage Health\StorageHealthModel.dat"
  2⤵
  PID:4420
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\ProgramData\Microsoft\Storage Health\StorageHealthModel.dat"
    3⤵
    PID:3936
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\ProgramData\Microsoft\Storage Health\StorageHealthModel.dat"
  2⤵
  PID:2964
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\ProgramData\Microsoft\Storage Health\StorageHealthModel.dat"
    3⤵
    PID:1516
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.ServiceModel.Resources.dll"
  2⤵
  PID:1412
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.ServiceModel.Resources.dll"
    3⤵
    PID:2648
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.ServiceModel.Resources.dll"
  2⤵
  PID:2548
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.ServiceModel.Resources.dll"
    3⤵
    PID:4588
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.ServiceModel.Resources.dll"
  2⤵
  PID:2176
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.ServiceModel.Resources.dll"
    3⤵
    PID:5108
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.ServiceModel.Resources.dll"
  2⤵
  PID:3436
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.ServiceModel.Resources.dll"
    3⤵
    PID:4092
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Runtime.dll"
  2⤵
  PID:744
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Runtime.dll"
    3⤵
    PID:3200
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Runtime.dll"
  2⤵
  PID:4556
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Runtime.dll"
    3⤵
    PID:3444
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Runtime.dll"
  2⤵
  PID:1596
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Runtime.dll"
    3⤵
    PID:1608
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Runtime.dll"
  2⤵
  PID:4036
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Runtime.dll"
    3⤵
    PID:3744
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll"
  2⤵
  PID:1752
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll"
    3⤵
    PID:4832
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll"
  2⤵
  PID:4336
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll"
    3⤵
    PID:3316
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll"
  2⤵
  PID:1664
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll"
    3⤵
    PID:968
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll"
  2⤵
  PID:1992
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll"
    3⤵
    PID:1720
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll"
  2⤵
  PID:4280
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll"
    3⤵
    PID:1284
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll"
  2⤵
  PID:2020
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll"
    3⤵
    PID:2992
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll"
  2⤵
  PID:2216
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll"
    3⤵
    PID:3188
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll"
  2⤵
  PID:2936
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ReachFramework.dll"
    3⤵
    PID:1116
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll"
  2⤵
  PID:4276
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll"
    3⤵
    PID:468
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll"
  2⤵
  PID:4624
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll"
    3⤵
    PID:1476
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll"
  2⤵
  PID:4064
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll"
    3⤵
    PID:3988
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll"
  2⤵
  PID:4948
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll"
    3⤵
    PID:3708
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\Users\Admin\AppData\Local\Microsoft\Windows\UsrClass.dat{3484f5f4-84c7-11ef-b9a4-46b98598d6ff}.TMContainer00000000000000000001.regtrans-ms
  2⤵
  PID:3444
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\Users\Admin\AppData\Local\Microsoft\Windows\UsrClass.dat{3484f5f4-84c7-11ef-b9a4-46b98598d6ff}.TMContainer00000000000000000001.regtrans-ms
    3⤵
    PID:4552
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms
  2⤵
  PID:4892
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms
    3⤵
    - Modifies file permissions
    PID:4516
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms
  2⤵
  PID:2240
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms
    3⤵
    PID:3564
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\Users\Admin\AppData\Local\Microsoft\Windows\UsrClass.dat{3484f5f4-84c7-11ef-b9a4-46b98598d6ff}.TMContainer00000000000000000001.regtrans-ms
  2⤵
  PID:4976
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\Users\Admin\AppData\Local\Microsoft\Windows\UsrClass.dat{3484f5f4-84c7-11ef-b9a4-46b98598d6ff}.TMContainer00000000000000000001.regtrans-ms
    3⤵
    PID:3276
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\Users\Admin\AppData\Local\Microsoft\Windows\UsrClass.dat{3484f5f4-84c7-11ef-b9a4-46b98598d6ff}.TMContainer00000000000000000002.regtrans-ms
  2⤵
  PID:1040
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\Users\Admin\AppData\Local\Microsoft\Windows\UsrClass.dat{3484f5f4-84c7-11ef-b9a4-46b98598d6ff}.TMContainer00000000000000000002.regtrans-ms
    3⤵
    PID:4888
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms
  2⤵
  PID:3256
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms
    3⤵
    PID:2716
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms
  2⤵
  PID:1480
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms
    3⤵
    PID:1152
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms
  2⤵
  PID:1308
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms
    3⤵
    PID:2804
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\Users\Admin\AppData\Local\Microsoft\Windows\UsrClass.dat{3484f5f4-84c7-11ef-b9a4-46b98598d6ff}.TMContainer00000000000000000002.regtrans-ms
  2⤵
  PID:4596
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\Users\Admin\AppData\Local\Microsoft\Windows\UsrClass.dat{3484f5f4-84c7-11ef-b9a4-46b98598d6ff}.TMContainer00000000000000000002.regtrans-ms
    3⤵
    PID:2216
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\Users\Admin\AppData\Local\Microsoft\Windows\UsrClass.dat{3484f5f4-84c7-11ef-b9a4-46b98598d6ff}.TMContainer00000000000000000001.regtrans-ms
  2⤵
  PID:3684
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\Users\Admin\AppData\Local\Microsoft\Windows\UsrClass.dat{3484f5f4-84c7-11ef-b9a4-46b98598d6ff}.TMContainer00000000000000000001.regtrans-ms
    3⤵
    PID:1116
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\Users\Admin\AppData\Local\Microsoft\Windows\UsrClass.dat{3484f5f4-84c7-11ef-b9a4-46b98598d6ff}.TMContainer00000000000000000001.regtrans-ms
  2⤵
  PID:3748
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\Users\Admin\AppData\Local\Microsoft\Windows\UsrClass.dat{3484f5f4-84c7-11ef-b9a4-46b98598d6ff}.TMContainer00000000000000000001.regtrans-ms
    3⤵
    PID:4432
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\Users\Admin\AppData\Local\Microsoft\Windows\UsrClass.dat{3484f5f4-84c7-11ef-b9a4-46b98598d6ff}.TMContainer00000000000000000002.regtrans-ms
  2⤵
  PID:1956
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\Users\Admin\AppData\Local\Microsoft\Windows\UsrClass.dat{3484f5f4-84c7-11ef-b9a4-46b98598d6ff}.TMContainer00000000000000000002.regtrans-ms
    3⤵
    PID:4904
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms
  2⤵
  PID:4988
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms
    3⤵
    PID:2428
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms
  2⤵
  PID:3868
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms
    3⤵
    PID:4464
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\Users\Admin\AppData\Local\Microsoft\Windows\UsrClass.dat{3484f5f4-84c7-11ef-b9a4-46b98598d6ff}.TMContainer00000000000000000002.regtrans-ms
  2⤵
  PID:3064
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\Users\Admin\AppData\Local\Microsoft\Windows\UsrClass.dat{3484f5f4-84c7-11ef-b9a4-46b98598d6ff}.TMContainer00000000000000000002.regtrans-ms
    3⤵
    - Modifies file permissions
    PID:3048
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms
  2⤵
  PID:1692
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms
    3⤵
    PID:2724
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mshwjpn.dll"
  2⤵
  PID:4024
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mshwjpn.dll"
    3⤵
    PID:3952
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mshwjpn.dll"
  2⤵
  PID:4628
- - C:\Windows\system32\takeown.exe
    TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mshwjpn.dll"
    3⤵
    PID:2448
- C:\Windows\system32\cmd.exe
  cmd /C TAKEOWN /F "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mshwjpn.dll"
  2⤵
  PID:4388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads